Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ExeFile (200).exe

Overview

General Information

Sample name:ExeFile (200).exe
Analysis ID:1495782
MD5:f5d9021bf02680122ef5de324eb173b2
SHA1:e69e5676df042c1c54d9167d43646d5a89e4384c
SHA256:4df448b9c01fb42bdf6482f214bdb005a27396206c8b81a40bc63782c2404eca
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • ExeFile (200).exe (PID: 7432 cmdline: "C:\Users\user\Desktop\ExeFile (200).exe" MD5: F5D9021BF02680122EF5DE324EB173B2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: ExeFile (200).exeReversingLabs: Detection: 47%
Machine Learning detection for sample
Source: ExeFile (200).exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C97AB0 CryptAcquireContextW,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,CryptDestroyHash,CryptDestroyHash,CryptReleaseContext,0_2_00C97AB0
Source: ExeFile (200).exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: ExeFile (200).exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: ExeFile (200).exeStatic PE information: certificate valid
Source: C:\Users\user\Desktop\ExeFile (200).exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dllJump to behavior
Source: ExeFile (200).exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C69C90 GetFileAttributesW,DeleteFileW,FindFirstFileW,SetFileAttributesW,DeleteFileW,FindNextFileW,GetLastError,FindClose,RemoveDirectoryW,DeleteFileW,0_2_00C69C90
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C75210 PathCombineW,FindFirstFileW,PathCombineW,FindNextFileW,FindClose,0_2_00C75210
Source: C:\Users\user\Desktop\ExeFile (200).exeFile opened: C:\Users\user\AppData\Local\Temp\mediaget-installer-tmpJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeFile opened: C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\preloader.htmlJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeFile opened: C:\Users\user\AppData\LocalJump to behavior
Source: global trafficHTTP traffic detected: GET /index2.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13Host: install.mediaget.comContent-Length: 124Cache-Control: no-cacheData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 6d 65 64 69 61 67 65 74 49 6e 73 74 61 6c 6c 65 72 20 66 69 6c 65 5f 6e 61 6d 65 3d 22 45 78 65 46 69 6c 65 20 28 32 30 30 29 2e 65 78 65 22 20 61 63 74 69 6f 6e 3d 22 73 74 61 72 74 22 20 73 74 61 74 56 65 72 73 69 6f 6e 3d 22 33 39 39 22 2f 3e 0a 0a Data Ascii: <?xml version="1.0" encoding="UTF-8"?><mediagetInstaller file_name="ExeFile (200).exe" action="start" statVersion="399"/>
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C66C20 CreateFileW,GetLastError,InternetOpenW,SetFilePointer,InternetConnectW,HttpOpenRequestW,InternetQueryOptionW,InternetSetOptionW,HttpSendRequestW,HttpQueryInfoW,GetTickCount,GetTickCount,InternetReadFile,GetLastError,WriteFile,GetLastError,GetTickCount,GetLastError,GetLastError,GetLastError,SetEndOfFile,GetLastError,CloseHandle,CreateFileW,CreateFileW,Sleep,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00C66C20
Source: global trafficHTTP traffic detected: GET /index2.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13Host: install.mediaget.comContent-Length: 124Cache-Control: no-cacheData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 6d 65 64 69 61 67 65 74 49 6e 73 74 61 6c 6c 65 72 20 66 69 6c 65 5f 6e 61 6d 65 3d 22 45 78 65 46 69 6c 65 20 28 32 30 30 29 2e 65 78 65 22 20 61 63 74 69 6f 6e 3d 22 73 74 61 72 74 22 20 73 74 61 74 56 65 72 73 69 6f 6e 3d 22 33 39 39 22 2f 3e 0a 0a Data Ascii: <?xml version="1.0" encoding="UTF-8"?><mediagetInstaller file_name="ExeFile (200).exe" action="start" statVersion="399"/>
Source: global trafficDNS traffic detected: DNS query: install.mediaget.com
Source: ExeFile (200).exeString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: ExeFile (200).exeString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: ExeFile (200).exeString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: ExeFile (200).exeString found in binary or memory: http://crl.globalsign.net/root.crl0
Source: ExeFile (200).exe, 00000000.00000002.3700526824.0000000009BF7000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1870183498.00000000040F3000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, jquery-ui.min.1.8.0.js.0.drString found in binary or memory: http://docs.jquery.com/UI
Source: ExeFile (200).exe, 00000000.00000002.3700526824.0000000009BF7000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1870183498.00000000040F3000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, jquery-ui.min.1.8.0.js.0.drString found in binary or memory: http://docs.jquery.com/UI/Mouse
Source: ExeFile (200).exe, 00000000.00000002.3700526824.0000000009BF7000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1870183498.00000000040F3000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, jquery-ui.min.1.8.0.js.0.drString found in binary or memory: http://docs.jquery.com/UI/Widget
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://download.mediaget.com/mediaget-installer-2/bundles/bundle.php?b=avastm
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://download.mediaget.com/mediaget-installer-2/bundles/bundle.php?b=opera
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://download.mediaget.com/mediaget-installer-2/bundles/bundle.php?b=operam
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.3697306599.00000000013FE000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000002.3697878219.00000000030A8000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://install.mediaget.com/index2.php
Source: ExeFile (200).exe, 00000000.00000002.3697878219.00000000030A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://install.mediaget.com/index2.phpG
Source: ExeFile (200).exe, 00000000.00000002.3697878219.00000000030A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://install.mediaget.com/index2.phpt.exe~b
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://install.portmdfmoon.com/download/APSFEM
Source: ExeFile (200).exe, 00000000.00000002.3699632717.0000000004CF9000.00000004.00000020.00020000.00000000.sdmp, jquery.min.1.6.4.js.0.drString found in binary or memory: http://jquery.com/
Source: ExeFile (200).exe, 00000000.00000002.3699632717.0000000004CF9000.00000004.00000020.00020000.00000000.sdmp, jquery.min.1.6.4.js.0.drString found in binary or memory: http://jquery.org/license
Source: ExeFile (200).exe, 00000000.00000002.3700526824.0000000009BF7000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1870183498.00000000040F3000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, jquery-ui.min.1.8.0.js.0.drString found in binary or memory: http://jqueryui.com/about)
Source: ExeFile (200).exe, 00000000.00000003.1870183498.00000000040F3000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, yandex-stuff-tr.txt.0.drString found in binary or memory: http://legal.yandex.com.tr/browser_agreement/
Source: ExeFile (200).exe, 00000000.00000003.1870183498.00000000040F3000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, yandex-stuff-tr.txt.0.drString found in binary or memory: http://legal.yandex.com.tr/desktop_software_agreement/
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://mediaget.com
Source: ExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, first-page-ru.html.0.dr, yandex-stuff-new-ru.txt.0.dr, first-page-tr.html.0.drString found in binary or memory: http://mediaget.com/license
Source: ExeFile (200).exe, 00000000.00000002.3699632717.0000000004C87000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1881306523.00000000035F1000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1881389450.0000000003607000.00000004.00000020.00020000.00000000.sdmp, index.html.0.dr, first-page-en.html.0.drString found in binary or memory: http://mediaget.com/license?lang=en
Source: ExeFile (200).exe, 00000000.00000002.3699632717.0000000004C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mediaget.com/license?lang=en4n
Source: ExeFile (200).exe, 00000000.00000002.3699632717.0000000004C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mediaget.com/license?lang=en=
Source: ExeFile (200).exe, 00000000.00000002.3699632717.0000000004C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mediaget.com/license?lang=enLoPH-
Source: ExeFile (200).exe, 00000000.00000002.3699632717.0000000004C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mediaget.com/license?lang=enRo
Source: ExeFile (200).exe, 00000000.00000002.3699632717.0000000004C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mediaget.com/license?lang=enXo$H
Source: ExeFile (200).exe, 00000000.00000002.3699632717.0000000004C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mediaget.com/license?lang=endn8I
Source: ExeFile (200).exe, 00000000.00000002.3699632717.0000000004C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mediaget.com/license?lang=enno
Source: ExeFile (200).exe, 00000000.00000002.3699632717.0000000004C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mediaget.com/license?lang=ento
Source: ExeFile (200).exe, 00000000.00000002.3699632717.0000000004C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mediaget.com/license?lang=enzo
Source: ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://mediaget.commediagetMediaGet2Media
Source: ExeFile (200).exeString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: ExeFile (200).exeString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: ExeFile (200).exeString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://sub2.bubblesmedia.ru/client/mediaget_install
Source: ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://sub2.bubblesmedia.ru/client/mediaget_install749c4eeb900d5b934e55da9081b1b685vector
Source: ExeFile (200).exeString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: ExeFile (200).exeString found in binary or memory: http://t2.symcb.com0
Source: ExeFile (200).exeString found in binary or memory: http://tl.symcb.com/tl.crl0
Source: ExeFile (200).exeString found in binary or memory: http://tl.symcb.com/tl.crt0
Source: ExeFile (200).exeString found in binary or memory: http://tl.symcd.com0&
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://webcompanion.com/nano_download.php?partner=MK190501&campaign=729
Source: ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://webcompanion.com/nano_download.php?partner=MK190501&campaign=729http://install.portmdfmoon.co
Source: ExeFile (200).exe, 00000000.00000003.1870183498.00000000040F3000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, bundle-webcompanion2-en.html.0.dr, bundle-webcompanion1-en.html.0.drString found in binary or memory: http://webcompanion.com/privacy
Source: ExeFile (200).exe, 00000000.00000003.1870183498.00000000040F3000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, bundle-webcompanion2-en.html.0.dr, bundle-webcompanion1-en.html.0.drString found in binary or memory: http://webcompanion.com/terms
Source: ExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, bundle-opera.html.0.dr, bundle-opera-en.html.0.drString found in binary or memory: http://www.opera.com/ru/eula/computers
Source: ExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, bundle-opera.html.0.dr, bundle-opera-en.html.0.drString found in binary or memory: http://www.opera.com/ru/privacy
Source: ExeFile (200).exe, 00000000.00000003.1870183498.00000000040F3000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, bundle-safefinder-en.html.0.drString found in binary or memory: http://www.safefinder.com/faq/SafeFinder/FAQ_ENG.html
Source: ExeFile (200).exe, 00000000.00000003.1870183498.00000000040F3000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, bundle-safefinder-en.html.0.drString found in binary or memory: http://www.safefinder.com/privacy.html
Source: ExeFile (200).exe, 00000000.00000003.1870183498.00000000040F3000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, bundle-safefinder-en.html.0.drString found in binary or memory: http://www.safefinder.com/terms.html
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://bits.avcdn.net/platform_WIN/productfamily_ANTIVIRUS/cookie_mmm_mrk_ppi_004_408_q
Source: ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://chistilka.com/eula.php
Source: ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore
Source: ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstoreweb_url
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://client.mediaget.com/uninstall
Source: ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1844954396.00000000030AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx
Source: ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxapp
Source: ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxweb_accessible_resourcespage_embed_script.js
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: ExeFile (200).exeString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: ExeFile (200).exe, 00000000.00000003.1844954396.00000000030AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/
Source: ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1844954396.00000000030AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-autopush.corp.google.com/
Source: ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1844954396.00000000030AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-0.corp.google.com/
Source: ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1844954396.00000000030AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-1.corp.google.com/
Source: ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1844954396.00000000030AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-2.corp.google.com/
Source: ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1844954396.00000000030AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-3.corp.google.com/
Source: ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1844954396.00000000030AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-4.corp.google.com/
Source: ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1844954396.00000000030AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-5.corp.google.com/
Source: ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1844954396.00000000030AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-6.corp.google.com/
Source: ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1844954396.00000000030AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-preprod.corp.google.com/
Source: ExeFile (200).exe, 00000000.00000003.1844954396.00000000030AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-staging.corp.google.com/
Source: ExeFile (200).exe, 00000000.00000003.1844954396.00000000030AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
Source: ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://http://install.mediaget.com/index2.phphttps://client.mediaget.com/uninstall-installer-tmp
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://install.mediaget.com/index2.php
Source: ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://install.mediaget.com/index2.phpcrash
Source: ExeFile (200).exe, 00000000.00000002.3699632717.0000000004C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: ExeFile (200).exe, 00000000.00000002.3699632717.0000000004C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf
Source: ExeFile (200).exe, 00000000.00000002.3699632717.0000000004C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
Source: ExeFile (200).exe, 00000000.00000002.3699632717.0000000004C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: ExeFile (200).exe, 00000000.00000002.3699632717.0000000004C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033XS
Source: ExeFile (200).exe, 00000000.00000002.3697306599.0000000001485000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfIW
Source: ExeFile (200).exe, 00000000.00000002.3699632717.0000000004C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://net.geo.opera.com/opera/stable/windows?utm_source=mgt&utm_medium=pb&utm_campaign=mgt
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://net.geo.opera.com/opera/stable/windows?utm_source=mkt&utm_medium=apb&utm_campaign=729
Source: ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://payments.google.com/
Source: ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.jshttps://sandbox.google.com/payments/v4/js/in
Source: ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sandbox.google.com/
Source: ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: ExeFile (200).exe, 00000000.00000003.1870183498.00000000040F3000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, bundle-avast.html.0.drString found in binary or memory: https://www.avast.com/eula
Source: ExeFile (200).exe, 00000000.00000003.1870183498.00000000040F3000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, bundle-avast.html.0.drString found in binary or memory: https://www.avast.com/privacy-policy
Source: ExeFile (200).exeString found in binary or memory: https://www.globalsign.com/repository/0
Source: ExeFile (200).exeString found in binary or memory: https://www.globalsign.com/repository/03
Source: ExeFile (200).exeString found in binary or memory: https://www.globalsign.com/repository/06
Source: ExeFile (200).exe, 00000000.00000003.1844954396.00000000030AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
Source: ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/https://www.googleapis.com/
Source: ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/systemPrivate
Source: ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/
Source: ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/sierra
Source: ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/sierrahttps://www.googleapis.com/auth/sierrasandboxhttps://www.googl
Source: ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: ExeFile (200).exeString found in binary or memory: https://www.thawte.com/cps0/
Source: ExeFile (200).exeString found in binary or memory: https://www.thawte.com/repository0W
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C990400_2_00C99040
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C310000_2_00C31000
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C361E00_2_00C361E0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C321F00_2_00C321F0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C351F00_2_00C351F0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C9D2E00_2_00C9D2E0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00CA32E00_2_00CA32E0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00CE72F00_2_00CE72F0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C632800_2_00C63280
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00CE72B40_2_00CE72B4
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00CE72100_2_00CE7210
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00CE73E00_2_00CE73E0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00CE73580_2_00CE7358
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00CE74840_2_00CE7484
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00CE74840_2_00CE7484
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C864B00_2_00C864B0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00CE74280_2_00CE7428
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00CE74840_2_00CE7484
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C325200_2_00C32520
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00CCD6700_2_00CCD670
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00CE770C0_2_00CE770C
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C508E00_2_00C508E0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C31BE00_2_00C31BE0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C9FB000_2_00C9FB00
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00CA3CD00_2_00CA3CD0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C82D900_2_00C82D90
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C33FA00_2_00C33FA0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C9DE300_2_00C9DE30
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: String function: 00C3BDF0 appears 76 times
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: String function: 00C3B350 appears 210 times
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: String function: 00C3B810 appears 116 times
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: String function: 00C3AEF0 appears 31 times
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: String function: 00C3B030 appears 59 times
Source: ExeFile (200).exeStatic PE information: Resource name: ARCHIVE_7Z type: 7-zip archive data, version 0.3
Source: ExeFile (200).exeStatic PE information: Resource name: ARCHIVE_7Z type: 7-zip archive data, version 0.3
Source: ExeFile (200).exeBinary or memory string: OriginalFilename vs ExeFile (200).exe
Source: ExeFile (200).exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: ExeFile (200).exeStatic PE information: Section: UPX1 ZLIB complexity 0.9912011579041488
Source: classification engineClassification label: mal56.spyw.winEXE@1/98@1/1
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00CCC890 GetLastError,FormatMessageA,GetLastError,SetLastError,0_2_00CCC890
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C73BE0 GetDiskFreeSpaceExW,0_2_00C73BE0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C72640 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,0_2_00C72640
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C654F0 FindResourceW,FindResourceW,FindResourceW,LoadResource,LoadResource,LockResource,LoadResource,LockResource,CreateDialogIndirectParamW,GetLastError,GlobalHandle,GlobalFree,GetLastError,SetLastError,0_2_00C654F0
Source: C:\Users\user\Desktop\ExeFile (200).exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DATJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMutant created: \Sessions\1\BaseNamedObjects\mediaget-installer-singleapplication-mutex
Source: C:\Users\user\Desktop\ExeFile (200).exeFile created: C:\Users\user\AppData\Local\Temp\mediaget-installer-tmpJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: ExeFile (200).exeReversingLabs: Detection: 47%
Source: ExeFile (200).exeString found in binary or memory: https://install.mediaget.com/index2.php
Source: ExeFile (200).exeString found in binary or memory: mediaget-installer-2/binaries/download.php?a=mediaget-lib
Source: ExeFile (200).exeString found in binary or memory: -installer-tmp\
Source: ExeFile (200).exeString found in binary or memory: http://install.mediaget.com/index2.php
Source: ExeFile (200).exeString found in binary or memory: mediaget-installer-2/installer-html/getHtml.php?inst_ver=
Source: ExeFile (200).exeString found in binary or memory: mediaget-installer-2/installer-html/getHtml.php?inst_ver=
Source: ExeFile (200).exeString found in binary or memory: mediaget-installer-2/binaries/download.php?a=mediaget-bin-test
Source: ExeFile (200).exeString found in binary or memory: mediaget-installer-2/binaries/download.php?a=mediaget-lib-test
Source: ExeFile (200).exeString found in binary or memory: mediaget-installer-2/binaries/download.php?a=mediaget-bin
Source: ExeFile (200).exeString found in binary or memory: mediaget-installer-2/bundles/bundle.php?b=
Source: ExeFile (200).exeString found in binary or memory: fusion-installing
Source: ExeFile (200).exeString found in binary or memory: --installer
Source: ExeFile (200).exeString found in binary or memory: -install-event
Source: ExeFile (200).exeString found in binary or memory: <load_html>(.*?)</load_html>
Source: ExeFile (200).exeString found in binary or memory: /install-silent
Source: ExeFile (200).exeString found in binary or memory: <additional_parameters>(.*?)</additional_parameters>
Source: ExeFile (200).exeString found in binary or memory: http://install.portmdfmoon.com/download/APSFEM
Source: ExeFile (200).exeString found in binary or memory: http://download.mediaget.com/mediaget-installer-2/bundles/bundle.php?b=avastm
Source: ExeFile (200).exeString found in binary or memory: <install_fusion>(.*?)</install_fusion>
Source: ExeFile (200).exeString found in binary or memory: http://download.mediaget.com/mediaget-installer-2/bundles/bundle.php?b=operam
Source: ExeFile (200).exeString found in binary or memory: http://download.mediaget.com/mediaget-installer-2/bundles/bundle.php?b=opera
Source: ExeFile (200).exeString found in binary or memory: -installer-singleapplication-mutex
Source: C:\Users\user\Desktop\ExeFile (200).exeFile read: C:\Users\user\Desktop\ExeFile (200).exeJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: ieframe.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: dcomp.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: msiso.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: mshtml.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: srpapi.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: msimtf.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: d2d1.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: dxcore.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: mlang.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: policymanager.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: policymanager.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: profext.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: jscript9.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a07034fd-6caa-4954-ac3f-97a27216f98a}\InProcServer32Jump to behavior
Source: ExeFile (200).exeStatic PE information: certificate valid
Source: C:\Users\user\Desktop\ExeFile (200).exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dllJump to behavior
Source: ExeFile (200).exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D842F0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00D842F0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00CD69ED push ecx; ret 0_2_00CD6A00
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00CD6A59 push ecx; ret 0_2_00CD6A6C
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C87E20 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,0_2_00C87E20
Source: C:\Users\user\Desktop\ExeFile (200).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: 44B0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: 9A80000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: A2E0000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: A300000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: A3A0000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: A420000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: A480000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: A4A0000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: A4C0000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: A540000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: A560000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: A580000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: A5C0000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: A640000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: A660000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: A680000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: A6A0000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: A6C0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: A6E0000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: A700000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: A720000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: A740000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeWindow / User API: threadDelayed 4396Jump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeWindow / User API: threadDelayed 5435Jump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exe TID: 7512Thread sleep time: -439600s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exe TID: 7512Thread sleep time: -543500s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C69C90 GetFileAttributesW,DeleteFileW,FindFirstFileW,SetFileAttributesW,DeleteFileW,FindNextFileW,GetLastError,FindClose,RemoveDirectoryW,DeleteFileW,0_2_00C69C90
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C75210 PathCombineW,FindFirstFileW,PathCombineW,FindNextFileW,FindClose,0_2_00C75210
Source: C:\Users\user\Desktop\ExeFile (200).exeFile opened: C:\Users\user\AppData\Local\Temp\mediaget-installer-tmpJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeFile opened: C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\preloader.htmlJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeFile opened: C:\Users\user\AppData\LocalJump to behavior
Source: ExeFile (200).exe, 00000000.00000002.3697306599.0000000001462000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000002.3697306599.00000000013FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\ExeFile (200).exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00CD5E26 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00CD5E26
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D842F0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00D842F0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00CD5107 GetProcessHeap,RtlAllocateHeap,RtlInterlockedPopEntrySList,VirtualAlloc,RtlInterlockedPopEntrySList,VirtualFree,RtlInterlockedPushEntrySList,0_2_00CD5107
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C783C0 InterlockedIncrement,CloseHandle,RtlInitializeCriticalSection,CreateSemaphoreW,CreateSemaphoreW,CreateSemaphoreW,CreateThread,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,RtlInitializeCriticalSection,RtlEnterCriticalSection,SetUnhandledExceptionFilter,RtlLeaveCriticalSection,0_2_00C783C0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C78180 GetCurrentThreadId,SetUnhandledExceptionFilter,RtlLeaveCriticalSection,0_2_00C78180
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C77970 FreeLibrary,FreeLibrary,FreeLibrary,RtlEnterCriticalSection,SetUnhandledExceptionFilter,RtlLeaveCriticalSection,RtlDeleteCriticalSection,TerminateThread,CloseHandle,CloseHandle,RtlDeleteCriticalSection,CloseHandle,CloseHandle,InterlockedDecrement,RtlDeleteCriticalSection,0_2_00C77970
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C78CC0 RtlEnterCriticalSection,SetUnhandledExceptionFilter,0_2_00C78CC0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C78D90 SetUnhandledExceptionFilter,RtlLeaveCriticalSection,0_2_00C78D90
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00CD5E26 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00CD5E26
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C68A60 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00C68A60
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00C73CE0
Source: C:\Users\user\Desktop\ExeFile (200).exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C56030 CreateNamedPipeW,0_2_00C56030
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00CD6EA8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00CD6EA8
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00C40920 GetVersionExW,0_2_00C40920
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: AVGUI.exe

Stealing of Sensitive Information

barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\ExeFile (200).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00CB8380 socket,socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,closesocket,closesocket,closesocket,closesocket,closesocket,0_2_00CB8380

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Masquerading		1
OS Credential Dumping		1
System Time Discovery		Remote Services11
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		2
Virtualization/Sandbox Evasion		LSASS Memory31
Security Software Discovery		Remote Desktop Protocol1
Data from Local System		2
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Disable or Modify Tools		Security Account Manager2
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS2
Process Discovery		Distributed Component Object ModelInput Capture12
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
Obfuscated Files or Information		Cached Domain Credentials3
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
Software Packing		DCSync24
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ExeFile (200).exe47%ReversingLabsWin32.Trojan.Generic
ExeFile (200).exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://jquery.org/license0%URL Reputationsafe
https://curl.haxx.se/docs/http-cookies.html0%URL Reputationsafe
https://drive-staging.corp.google.com/0%URL Reputationsafe
http://sub2.bubblesmedia.ru/client/mediaget_install749c4eeb900d5b934e55da9081b1b685vector0%Avira URL Cloudsafe
http://mediaget.com/license?lang=ento0%Avira URL Cloudsafe
https://www.avast.com/privacy-policy0%Avira URL Cloudsafe
http://www.safefinder.com/privacy.html0%Avira URL Cloudsafe
http://www.safefinder.com/faq/SafeFinder/FAQ_ENG.html0%Avira URL Cloudsafe
https://payments.google.com/payments/v4/js/integrator.jshttps://sandbox.google.com/payments/v4/js/in0%Avira URL Cloudsafe
https://sandbox.google.com/payments/v4/js/integrator.js0%Avira URL Cloudsafe
https://bits.avcdn.net/platform_WIN/productfamily_ANTIVIRUS/cookie_mmm_mrk_ppi_004_408_q0%Avira URL Cloudsafe
https://payments.google.com/0%Avira URL Cloudsafe
https://net.geo.opera.com/opera/stable/windows?utm_source=mkt&utm_medium=apb&utm_campaign=7290%Avira URL Cloudsafe
https://drive-daily-2.corp.google.com/0%URL Reputationsafe
https://drive-autopush.corp.google.com/0%URL Reputationsafe
https://drive-daily-4.corp.google.com/0%URL Reputationsafe
https://drive-daily-1.corp.google.com/0%URL Reputationsafe
https://docs.google.com/0%Avira URL Cloudsafe
https://drive-daily-5.corp.google.com/0%URL Reputationsafe
https://curl.haxx.se/docs/http-cookies.html#0%Avira URL Cloudsafe
http://mediaget.com/license?lang=en=0%Avira URL Cloudsafe
https://install.mediaget.com/index2.phpcrash0%Avira URL Cloudsafe
https://http://install.mediaget.com/index2.phphttps://client.mediaget.com/uninstall-installer-tmp0%Avira URL Cloudsafe
https://www.thawte.com/cps0/0%URL Reputationsafe
https://drive.google.com/0%Avira URL Cloudsafe
http://install.portmdfmoon.com/download/APSFEM0%Avira URL Cloudsafe
http://docs.jquery.com/UI/Widget0%Avira URL Cloudsafe
https://install.mediaget.com/index2.php0%Avira URL Cloudsafe
https://client.mediaget.com/uninstall0%Avira URL Cloudsafe
https://drive-daily-6.corp.google.com/0%URL Reputationsafe
https://drive-daily-0.corp.google.com/0%URL Reputationsafe
https://www.thawte.com/repository0W0%URL Reputationsafe
http://jqueryui.com/about)0%URL Reputationsafe
https://www.google.com/systemPrivate0%Avira URL Cloudsafe
http://mediaget.com/license?lang=enzo0%Avira URL Cloudsafe
http://mediaget.commediagetMediaGet2Media0%Avira URL Cloudsafe
http://sub2.bubblesmedia.ru/client/mediaget_install0%Avira URL Cloudsafe
https://net.geo.opera.com/opera/stable/windows?utm_source=mgt&utm_medium=pb&utm_campaign=mgt0%Avira URL Cloudsafe
https://drive-preprod.corp.google.com/0%URL Reputationsafe
https://chrome.google.com/webstore0%Avira URL Cloudsafe
http://mediaget.com/license?lang=en0%Avira URL Cloudsafe
http://install.mediaget.com/index2.php0%Avira URL Cloudsafe
http://jquery.com/0%URL Reputationsafe
http://mediaget.com/license?lang=en4n0%Avira URL Cloudsafe
http://mediaget.com/license?lang=endn8I0%Avira URL Cloudsafe
https://www.avast.com/eula0%Avira URL Cloudsafe
http://install.mediaget.com/index2.phpG0%Avira URL Cloudsafe
http://docs.jquery.com/UI0%Avira URL Cloudsafe
http://download.mediaget.com/mediaget-installer-2/bundles/bundle.php?b=opera0%Avira URL Cloudsafe
https://drive-daily-3.corp.google.com/0%URL Reputationsafe
https://payments.google.com/payments/v4/js/integrator.js0%Avira URL Cloudsafe
http://download.mediaget.com/mediaget-installer-2/bundles/bundle.php?b=operam0%Avira URL Cloudsafe
http://mediaget.com/license?lang=enLoPH-0%Avira URL Cloudsafe
http://webcompanion.com/nano_download.php?partner=MK190501&campaign=7290%Avira URL Cloudsafe
http://docs.jquery.com/UI/Mouse0%Avira URL Cloudsafe
https://chistilka.com/eula.php0%Avira URL Cloudsafe
http://webcompanion.com/privacy0%Avira URL Cloudsafe
http://mediaget.com/license0%Avira URL Cloudsafe
http://www.opera.com/ru/eula/computers0%Avira URL Cloudsafe
http://legal.yandex.com.tr/desktop_software_agreement/0%Avira URL Cloudsafe
http://www.opera.com/ru/privacy0%Avira URL Cloudsafe
http://mediaget.com0%Avira URL Cloudsafe
http://mediaget.com/license?lang=enRo0%Avira URL Cloudsafe
https://chrome.google.com/webstoreweb_url0%Avira URL Cloudsafe
http://mediaget.com/license?lang=enno0%Avira URL Cloudsafe
http://download.mediaget.com/mediaget-installer-2/bundles/bundle.php?b=avastm0%Avira URL Cloudsafe
http://mediaget.com/license?lang=enXo$H0%Avira URL Cloudsafe
http://install.mediaget.com/index2.phpt.exe~b0%Avira URL Cloudsafe
http://legal.yandex.com.tr/browser_agreement/0%Avira URL Cloudsafe
http://webcompanion.com/nano_download.php?partner=MK190501&campaign=729http://install.portmdfmoon.co0%Avira URL Cloudsafe
http://webcompanion.com/terms0%Avira URL Cloudsafe
https://sandbox.google.com/0%Avira URL Cloudsafe
https://www.google.com/0%Avira URL Cloudsafe
http://www.safefinder.com/terms.html0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
lb-ks-1.mediaget.com
185.130.105.44
truefalse
    		unknown
    install.mediaget.com
    		unknown
    		unknownfalse
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://install.mediaget.com/index2.phpfalse
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://sub2.bubblesmedia.ru/client/mediaget_install749c4eeb900d5b934e55da9081b1b685vectorExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://jquery.org/licenseExeFile (200).exe, 00000000.00000002.3699632717.0000000004CF9000.00000004.00000020.00020000.00000000.sdmp, jquery.min.1.6.4.js.0.drfalse
      • URL Reputation: safe
      		unknown
      http://www.safefinder.com/faq/SafeFinder/FAQ_ENG.htmlExeFile (200).exe, 00000000.00000003.1870183498.00000000040F3000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, bundle-safefinder-en.html.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://payments.google.com/payments/v4/js/integrator.jshttps://sandbox.google.com/payments/v4/js/inExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://www.avast.com/privacy-policyExeFile (200).exe, 00000000.00000003.1870183498.00000000040F3000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, bundle-avast.html.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      http://mediaget.com/license?lang=entoExeFile (200).exe, 00000000.00000002.3699632717.0000000004C87000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.safefinder.com/privacy.htmlExeFile (200).exe, 00000000.00000003.1870183498.00000000040F3000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, bundle-safefinder-en.html.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://bits.avcdn.net/platform_WIN/productfamily_ANTIVIRUS/cookie_mmm_mrk_ppi_004_408_qExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://payments.google.com/ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://sandbox.google.com/payments/v4/js/integrator.jsExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://net.geo.opera.com/opera/stable/windows?utm_source=mkt&utm_medium=apb&utm_campaign=729ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://curl.haxx.se/docs/http-cookies.htmlExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://curl.haxx.se/docs/http-cookies.html#ExeFile (200).exefalse
      • Avira URL Cloud: safe
      		unknown
      https://install.mediaget.com/index2.phpcrashExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://mediaget.com/license?lang=en=ExeFile (200).exe, 00000000.00000002.3699632717.0000000004C87000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://docs.google.com/ExeFile (200).exe, 00000000.00000003.1844954396.00000000030AB000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://http://install.mediaget.com/index2.phphttps://client.mediaget.com/uninstall-installer-tmpExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://drive-staging.corp.google.com/ExeFile (200).exe, 00000000.00000003.1844954396.00000000030AB000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://install.mediaget.com/index2.phpExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://drive.google.com/ExeFile (200).exe, 00000000.00000003.1844954396.00000000030AB000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://install.portmdfmoon.com/download/APSFEMExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://docs.jquery.com/UI/WidgetExeFile (200).exe, 00000000.00000002.3700526824.0000000009BF7000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1870183498.00000000040F3000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, jquery-ui.min.1.8.0.js.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://client.mediaget.com/uninstallExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://www.google.com/systemPrivateExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://mediaget.commediagetMediaGet2MediaExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://net.geo.opera.com/opera/stable/windows?utm_source=mgt&utm_medium=pb&utm_campaign=mgtExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://mediaget.com/license?lang=enzoExeFile (200).exe, 00000000.00000002.3699632717.0000000004C87000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://sub2.bubblesmedia.ru/client/mediaget_installExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://install.mediaget.com/index2.phpGExeFile (200).exe, 00000000.00000002.3697878219.00000000030A8000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://chrome.google.com/webstoreExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://docs.jquery.com/UIExeFile (200).exe, 00000000.00000002.3700526824.0000000009BF7000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1870183498.00000000040F3000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, jquery-ui.min.1.8.0.js.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      http://download.mediaget.com/mediaget-installer-2/bundles/bundle.php?b=operaExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://mediaget.com/license?lang=enExeFile (200).exe, 00000000.00000002.3699632717.0000000004C87000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1881306523.00000000035F1000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1881389450.0000000003607000.00000004.00000020.00020000.00000000.sdmp, index.html.0.dr, first-page-en.html.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://drive-daily-2.corp.google.com/ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1844954396.00000000030AB000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://drive-autopush.corp.google.com/ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1844954396.00000000030AB000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://payments.google.com/payments/v4/js/integrator.jsExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://drive-daily-4.corp.google.com/ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1844954396.00000000030AB000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://mediaget.com/license?lang=en4nExeFile (200).exe, 00000000.00000002.3699632717.0000000004C87000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://mediaget.com/license?lang=endn8IExeFile (200).exe, 00000000.00000002.3699632717.0000000004C87000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://www.avast.com/eulaExeFile (200).exe, 00000000.00000003.1870183498.00000000040F3000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, bundle-avast.html.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      http://download.mediaget.com/mediaget-installer-2/bundles/bundle.php?b=operamExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://drive-daily-1.corp.google.com/ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1844954396.00000000030AB000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://webcompanion.com/nano_download.php?partner=MK190501&campaign=729ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://mediaget.com/license?lang=enLoPH-ExeFile (200).exe, 00000000.00000002.3699632717.0000000004C87000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.opera.com/ru/eula/computersExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, bundle-opera.html.0.dr, bundle-opera-en.html.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://drive-daily-5.corp.google.com/ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1844954396.00000000030AB000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://legal.yandex.com.tr/desktop_software_agreement/ExeFile (200).exe, 00000000.00000003.1870183498.00000000040F3000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, yandex-stuff-tr.txt.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      http://webcompanion.com/privacyExeFile (200).exe, 00000000.00000003.1870183498.00000000040F3000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, bundle-webcompanion2-en.html.0.dr, bundle-webcompanion1-en.html.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.opera.com/ru/privacyExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, bundle-opera.html.0.dr, bundle-opera-en.html.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://chistilka.com/eula.phpExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://mediaget.com/licenseExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, first-page-ru.html.0.dr, yandex-stuff-new-ru.txt.0.dr, first-page-tr.html.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://www.thawte.com/cps0/ExeFile (200).exefalse
      • URL Reputation: safe
      		unknown
      http://docs.jquery.com/UI/MouseExeFile (200).exe, 00000000.00000002.3700526824.0000000009BF7000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1870183498.00000000040F3000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, jquery-ui.min.1.8.0.js.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      http://mediaget.comExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://drive-daily-6.corp.google.com/ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1844954396.00000000030AB000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://drive-daily-0.corp.google.com/ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1844954396.00000000030AB000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://www.thawte.com/repository0WExeFile (200).exefalse
      • URL Reputation: safe
      		unknown
      http://mediaget.com/license?lang=enRoExeFile (200).exe, 00000000.00000002.3699632717.0000000004C87000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://chrome.google.com/webstoreweb_urlExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://download.mediaget.com/mediaget-installer-2/bundles/bundle.php?b=avastmExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://jqueryui.com/about)ExeFile (200).exe, 00000000.00000002.3700526824.0000000009BF7000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1870183498.00000000040F3000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, jquery-ui.min.1.8.0.js.0.drfalse
      • URL Reputation: safe
      		unknown
      http://mediaget.com/license?lang=enXo$HExeFile (200).exe, 00000000.00000002.3699632717.0000000004C87000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://mediaget.com/license?lang=ennoExeFile (200).exe, 00000000.00000002.3699632717.0000000004C87000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://webcompanion.com/nano_download.php?partner=MK190501&campaign=729http://install.portmdfmoon.coExeFile (200).exe, 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://webcompanion.com/termsExeFile (200).exe, 00000000.00000003.1870183498.00000000040F3000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, bundle-webcompanion2-en.html.0.dr, bundle-webcompanion1-en.html.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://drive-preprod.corp.google.com/ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1844954396.00000000030AB000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://install.mediaget.com/index2.phpt.exe~bExeFile (200).exe, 00000000.00000002.3697878219.00000000030A8000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://legal.yandex.com.tr/browser_agreement/ExeFile (200).exe, 00000000.00000003.1870183498.00000000040F3000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, yandex-stuff-tr.txt.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://sandbox.google.com/ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://www.google.com/ExeFile (200).exe, 00000000.00000003.1844954396.00000000030AB000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://jquery.com/ExeFile (200).exe, 00000000.00000002.3699632717.0000000004CF9000.00000004.00000020.00020000.00000000.sdmp, jquery.min.1.6.4.js.0.drfalse
      • URL Reputation: safe
      		unknown
      http://www.safefinder.com/terms.htmlExeFile (200).exe, 00000000.00000003.1870183498.00000000040F3000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1880474404.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, bundle-safefinder-en.html.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://drive-daily-3.corp.google.com/ExeFile (200).exe, 00000000.00000003.1844924163.00000000035F1000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.1844954396.00000000030AB000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      185.130.105.44
      		lb-ks-1.mediaget.comNetherlands
      		14576HOSTING-SOLUTIONSUSfalse

      General Information

      Joe Sandbox version:40.0.0 Tourmaline
      Analysis ID:1495782
      Start date and time:2024-08-20 16:35:21 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 6m 50s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Run name:Run with higher sleep bypass
      Number of analysed new started processes analysed:6
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:ExeFile (200).exe
      Detection:MAL
      Classification:mal56.spyw.winEXE@1/98@1/1
      EGA Information:Failed
      HCA Information:
      • Successful, ratio: 99%
      • Number of executed functions: 91
      • Number of non-executed functions: 182
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

      Warnings

      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      • Report size getting too big, too many NtReadVirtualMemory calls found.
      • VT rate limit hit for: ExeFile (200).exe

      Simulations

      Behavior and APIs

      TimeTypeDescription
      10:37:11API Interceptor1539539x Sleep call for process: ExeFile (200).exe modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      HOSTING-SOLUTIONSUSMega.nz Spreader.exeGet hashmaliciousLaplas Clipper, Meduza StealerBrowse
      • 45.159.189.105
      file.exeGet hashmaliciousAmadeyBrowse
      • 185.209.162.226
      http://tqwwwcom.ru/Get hashmaliciousUnknownBrowse
      • 204.155.30.34
      xworm.exeGet hashmaliciousUnknownBrowse
      • 185.209.160.70
      Fb9Ff8L4T7Get hashmaliciousRHADAMANTHYSBrowse
      • 185.209.160.99
      file.exeGet hashmaliciousVidar, XmrigBrowse
      • 185.209.162.208
      file.exeGet hashmaliciousVidar, XmrigBrowse
      • 185.209.162.208
      05F1TC85Up.exeGet hashmaliciousDanaBotBrowse
      • 45.159.189.76
      05F1TC85Up.exeGet hashmaliciousDanaBotBrowse
      • 45.159.189.76

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:data
      Category:dropped
      Size (bytes):49120
      Entropy (8bit):0.0017331682157558962
      Encrypted:false
      SSDEEP:3:Ztt:T
      MD5:0392ADA071EB68355BED625D8F9695F3
      SHA1:777253141235B6C6AC92E17E297A1482E82252CC
      SHA-256:B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
      SHA-512:EF659EEFCAB16221783ECB258D19801A1FF063478698CF4FCE3C9F98059CA7B1D060B0449E6FD89D3B70439D9735FA1D50088568FF46C9927DE45808250AEC2E
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\bundle-av360.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):728
      Entropy (8bit):5.4386472019762975
      Encrypted:false
      SSDEEP:12:pn/trccM3uksu/eGIh7JZ4mySGIS4I5mUfSxDRRXkt8ZDRRFm5dYMv:1d7SquWGIhJGIS4sKRRRy8JRRQfYMv
      MD5:3E31181EFAB6491D1BFE8C691B215CF9
      SHA1:6C5E9E4B61DFC705A7D4DE8A22E4F815CE825C0D
      SHA-256:906B1C8178054D73592B09D01CC776E9F467FE84CB31176006B9B9DC1DDB10AE
      SHA-512:498016A85306B202D85455DEC3925C3A10636867010488540F4F1BBEBC12121C458791C33F499E1CB902FDEFAD27ABCA77D8B06726AE0D12B030FF0FD925811F
      Malicious:false
      Reputation:low
      Preview:<div id='##PAGE_ID##' class='selPage'>....<img src='./img/360_offer_small.jpg' style='position:absolute;left:0px;top:0px;'/>....<input type='checkbox' id='av360_installCheck' checked='checked' style='display:none'/>....<div style="position:absolute;left:15px;top:250px;cursor:pointer;"><img src="./img/cancel-cancel-grey.png" onClick="javascript:skip_av360()"></div>....<div style="position:absolute;left:485px;top:250px;cursor:pointer;"><img src="./img/next.png" onClick="##NEXT_PAGE_BUTTON##"></div>..</div>....<script language='javascript'>...function skip_av360()......{...... document.getElementById('av360_installCheck').checked = false;.......document.getElementById('currentState').value = 'skip';......}..</script>..

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\bundle-avast.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
      Category:dropped
      Size (bytes):2238
      Entropy (8bit):5.561714876398931
      Encrypted:false
      SSDEEP:48:OXufI8SGYjySs3uQxkmEQIJEZIu4InRJG5gpKvNKM4vYKNKMWcM:OXgdSGe8ukrEUr41
      MD5:10F6C2A03E3792543A41A4D33AA0F083
      SHA1:1841B1E82BC157705B26B2ECF081AFA4D3BFC3E6
      SHA-256:59BACB21B65C2BA31EE3A74975AC8E7AB7A2C2DDD7850B8E979E730F83C5EE70
      SHA-512:09BC9146A5018EF9C9028393E1FA7293D2481BC18705CF2F118B1B21E9F717924AF47D02080F3F0355C8AA3BD053DBACF55414D7E43F31D1CD0FB024C33FF237
      Malicious:false
      Reputation:low
      Preview:<div id='##PAGE_ID##' class='selPage'>.... <img src='./img/avast-screen-ru.jpg' style='position:absolute;left:0px;top:0px;'/>.. ....<input type='checkbox' id='avast_installCheck' checked='checked' style='display:none'/>.... <div id='operaCheckIconDiv' style="position:absolute;left:30px;top:190px;" onclick='return avastChecked();'><img id="operaCheckImg" src="./img/checkbox-black-on.png"></div> -->....<div style='position:absolute;left:25px;top:285px; font-size: 12px; face: Calibri; color: gray; background-color: RGB(241, 241, 241); width: 680px; height: 35px; z-index: 9999'>........ ..........., . .......... .. ......... ......... Avast Antivirus . ........ .......<br>....<a href='https://www.avast.com/eula' target='blank' style="color: Gray;">............. ..........</a> . ............. . ....<a href='https://www.avast.com/privacy-policy' target='blank' style="colo

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\bundle-opera-en.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):3053
      Entropy (8bit):5.178326749717347
      Encrypted:false
      SSDEEP:48:4ui6Py5M5h5v+uGIVfySGFSyStpo8q1IN6SIS4zsRNFG5Anp07n9NKM4vN8noNKn:4uF6+jt+LtSG0xpoZ1fStMWsnrL
      MD5:D50FD619C84501EC4C920C5757B9E4F0
      SHA1:0625AD5F60D65B41F68ACFF3491D7669100683A4
      SHA-256:06AB1A2EE7F4E0BB2AF43907EB503FF69932DCE59DAEE982F2C65A22C0AC91CD
      SHA-512:D8D0EE71C6156CD85CBCA0FC6319DF4863946726DBC67E70C3E674580A20FD1C858D35CE0FC5EA6C039DF97ACC46E5E50B57AFE70B4F740F2A815FCC95CB0BB7
      Malicious:false
      Reputation:low
      Preview:<div id='##PAGE_ID##' class='selPage'>.... <div style='position:absolute;left:20px;top:10px; font-size: 30px; face: Calibri; color: #42B2EE;'>Install Opera Browser</div>.. <img src='./img/opera/opera-logo.png' style='position:absolute;left:580px;top:10px;'/>.. <img src='./img/opera/opera-mockup2.jpg' style='position:absolute;left:298px;top:60px;'/>.. .. <div style='position:absolute;left:20px;top:60px; font-size: 16px; face: Calibri'>Fast and Secure Internet Browser</div>.. .. <div style='position:absolute;left:50px;top:100px; font-size: 14px; face: Calibri'>Ad bloker</div>.. <img src='./img/opera/opera-adblock.png' style='position:absolute;left:20px;top:100px;'/>.. .. <div style='position:absolute;left:50px;top:130px; font-size: 14px; face: Calibri'>Battery saver</div>.. <img src='./img/opera/opera-battery.png' style='position:absolute;left:20px;top:130px;'/>.. .. <div style='position:absolute;l

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\bundle-opera.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
      Category:dropped
      Size (bytes):3435
      Entropy (8bit):5.564181724424449
      Encrypted:false
      SSDEEP:96:4uUbAj6Mh+LtSG053Jrsj1yfdStyWsnrL:4zbAjhhsta1Jwj1yfAe
      MD5:6AF3DD94AA58F23DCF11A1E797497B14
      SHA1:839CA22201CEE968EC104188433223C2CB44CDEC
      SHA-256:C937BB7270769158DD8C625F878D641F550F4FAD719C8FBA99C5AD7E681B591D
      SHA-512:B6F38B079478BBACC08237149C4443AEF62041DFAAC2E7FF12A2194E1BA4F29D8C9814776669DF0D5263944FC5C6A3ADEDCA4ACABCE446241FB50440413A18CB
      Malicious:false
      Reputation:low
      Preview:<div id='##PAGE_ID##' class='selPage'>.... <div style='position:absolute;left:20px;top:10px; font-size: 30px; face: Calibri; color: #42B2EE;'>.......... ....... Opera</div>.. <img src='./img/opera/opera-logo.png' style='position:absolute;left:580px;top:10px;'/>.. <img src='./img/opera/opera-mockup2.jpg' style='position:absolute;left:298px;top:60px;'/>.. .. <div style='position:absolute;left:20px;top:60px; font-size: 16px; face: Calibri'>......., .......... . .......</div>.. .. <div style='position:absolute;left:50px;top:100px; font-size: 14px; face: Calibri'>.......... .......</div>.. <img src='./img/opera/opera-adblock.png' style='position:absolute;left:20px;top:100px;'/>.. .. <div style='position:absolute;left:50px;top:130px; font-size: 14px; face: Calibri'>........ ...... .......</div>.. <img src='./img/opera/opera-battery.png'

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\bundle-safefinder-en.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
      Category:dropped
      Size (bytes):2517
      Entropy (8bit):5.189415942341495
      Encrypted:false
      SSDEEP:48:nIsPl/+FuVdGGMySLUqmIKImARZG5gpABWM4vYoWMWMM:nVN/uEGGM/xmLX
      MD5:9E78557B60DADEF5D8EA00070EE88CA1
      SHA1:DB9BA07407B05AF64442DE33F4CB1CA50EB20578
      SHA-256:B289AA157775432E386C07FB77CB57F9E3F98BE5BF4A777EEE37428D579559A6
      SHA-512:DD7094E92ECD4DF5C197567DB8409C3D37DF73B1D9CA9D011D715D22CB8DD1366E27691979D920EC8DFB050A42F2E19058FC061197CEBE658D072D7B49CE5591
      Malicious:false
      Preview:<div id='##PAGE_ID##' class='selPage'>.... <div style='position:absolute;left:20px;top:20px; font-size: 20px; face: Calibri; color: black;'>Install SafeFinder</div>.. .. <div style='position:absolute;left:20px;top:70px; font-size: 16px; face: Calibri'>SafeFinder gives you the optimal way to share, search, work & play. Improve your search experience and set SafeFinder as my homepage, new tabs and default search engine on compatible browsers.</div>.. ....<input type='checkbox' id='safefinder_installCheck' checked='checked' style='display:none'/>....<div id='safefinderCheckIconDiv' style="position:absolute;left:20px;top:150px;" onclick='return safefinderChecked();'><img id="safefinderCheckImg" src="./img/checkbox-black-on.png"></div>........<div style='position:absolute;left:45px;top:150px; font-size: 12px; face: Calibri'>By clicking .Accept. you agree to the ....<a href='http://www.safefinder.com/terms.html' target='blank' style="color: Gray;">Legal

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\bundle-turbom-en.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):828
      Entropy (8bit):5.355846111989816
      Encrypted:false
      SSDEEP:24:1o7SeiuuGI8xGIS4m4zo4ILRRRGC8JRRQfYMv:1o7XiuJI8AIS4m4zo4KRKCG2Pv
      MD5:7E43E9642E82E1B58455A7112F77CBC4
      SHA1:E79038B507D5539B53131DCEE93FFCF2AE7CBAF9
      SHA-256:62067016760757E26C17A48587AEA0EA71119FD60DFB70AF23AE8D7561A344E9
      SHA-512:414F14277DF45D621AA50F67E45846DCF4AAB0F2120D39D8D5E6A86F0C18588B5D499668CD793B9F48D7959091C32BFDCEB37C1C9ABB2FA4A47C7EDAE472327E
      Malicious:false
      Preview:<div id='##PAGE_ID##' class='selPage'>....<img src='./img/turbom-en.jpg' style='position:absolute;left:0px;top:0px;'/>....<input type='checkbox' id='turbom_installCheck' checked='checked' style='display:none'/>....<div style="position:absolute;left:150px;top:250px;cursor:pointer;"><img src="./img/cancel-cancel-grey-en.png" onClick="javascript:skip_turbom()"></div>....<div style="position:absolute;left:340px;top:250px;cursor:pointer;"><img src="./img/next-en.png" onmouseover="this.src='./img/next-hovered-en.png';" onmouseout="this.src='./img/next-en.png';" onClick="##NEXT_PAGE_BUTTON##"></div>..</div>....<script language='javascript'>...function skip_turbom()......{...... document.getElementById('turbom_installCheck').checked = false;.......document.getElementById('currentState').value = 'skip';......}..</script>..

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\bundle-turbom-tr.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):823
      Entropy (8bit):5.356733917249688
      Encrypted:false
      SSDEEP:24:1Dn7SeiuuGIPxGIS42m4wo42ILRRRGC8JRRQfYMv:1Dn7XiuJIPAIS4Z4wo4hRKCG2Pv
      MD5:3F3CFD6828B8D9E7E0F4475F723DA1DC
      SHA1:7E96DD5406469322BFE1636D89795D2470FE25E8
      SHA-256:EAD88946728C652D7994C4BFAC122F03493025E52E8D5687786518B2B2207184
      SHA-512:8124B74973C7AE6596F11F926903C28C6F6AF69D071277275E0D7E40136623078348C80C0716410A39C1B295DB86C82B07BE1F2AD0F9305E513622289EF792FA
      Malicious:false
      Preview:<div id='##PAGE_ID##' class='selPage'>....<img src='./img/turbom-tr.jpg' style='position:absolute;left:0px;top:0px;'/>....<input type='checkbox' id='turbom_installCheck' checked='checked' style='display:none'/>....<div style="position:absolute;left:150px;top:250px;cursor:pointer;"><img src="./img/cancel-cancel-tr.png" onClick="javascript:skip_turbom()"></div>....<div style="position:absolute;left:340px;top:250px;cursor:pointer;"><img src="./img/next-tr.png" onmouseover="this.src='./img/next-hovered-tr.png';" onmouseout="this.src='./img/next-tr.png';" onClick="##NEXT_PAGE_BUTTON##"></div>..</div>....<script language='javascript'>...function skip_turbom()......{...... document.getElementById('turbom_installCheck').checked = false;.......document.getElementById('currentState').value = 'skip';......}..</script>..

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\bundle-turbom.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):813
      Entropy (8bit):5.356974825717192
      Encrypted:false
      SSDEEP:24:167SeiuuGIhcxGIS4o4Zo4CLRRRGC8JRRQfYMv:167XiuJIqAIS4o4Zo48RKCG2Pv
      MD5:5C0A257B14139E3BC56E806D6C737F22
      SHA1:78E117894DB43BB98D1D96930F54E46B1F63B8CB
      SHA-256:DBB780A98852C298334A4AF878D167098D59AD12AC67FA08CE69CA113484C803
      SHA-512:CE0C9383E7C2EA19CDA6A98DDF05FBC3A29EE1AE73A7A2DFB0D3935E02634EDA13A48267F6785ED7EFE79C6B89CE83F52853174D5DB088408CFBC99D89EFE11D
      Malicious:false
      Preview:<div id='##PAGE_ID##' class='selPage'>....<img src='./img/turbom.jpg' style='position:absolute;left:0px;top:0px;'/>....<input type='checkbox' id='turbom_installCheck' checked='checked' style='display:none'/>....<div style="position:absolute;left:150px;top:250px;cursor:pointer;"><img src="./img/cancel-cancel-grey.png" onClick="javascript:skip_turbom()"></div>....<div style="position:absolute;left:340px;top:250px;cursor:pointer;"><img src="./img/next.png" onmouseover="this.src='./img/next-hovered.png';" onmouseout="this.src='./img/next.png';" onClick="##NEXT_PAGE_BUTTON##"></div>..</div>....<script language='javascript'>...function skip_turbom()......{...... document.getElementById('turbom_installCheck').checked = false;.......document.getElementById('currentState').value = 'skip';......}..</script>..

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\bundle-webcompanion1-en.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
      Category:dropped
      Size (bytes):2609
      Entropy (8bit):5.188751741660367
      Encrypted:false
      SSDEEP:48:wUuiDjAXsI+tfgurmuDwVyAzfGiSySlq1Jvq2IcGXImYqRQnG52MpbZpSaQUM4vO:xu8EStfgDFjGnyo28i
      MD5:7C7898C8D209930579C0F5A2C3047B42
      SHA1:D8E186E9241D8BA574F509E2495179B0FA726DC7
      SHA-256:0AE3B07E1AC729CE46967228EADFF909BB1F6B5FC49D340428524AE33D153869
      SHA-512:BD49F69F35D8D6B3326D819E700070F78A5AEBAA97B4F0627A1E2CCF2C640C7622BD2D9777CCC3FBBCA99A76504608FEE9977295D2604B0B647E1BD7BE3A38CF
      Malicious:false
      Preview:<div id='##PAGE_ID##' class='selPage'>.... <div style='position:absolute;left:20px;top:10px; font-size: 30px; face: Calibri; color: #42B2EE;'>Optional Offer | Adaware Web Companion</div>-->........<img src='./img/wc-logo.png' style='position:absolute;left:20px;top:20px;'/>.. .. <div style='position:absolute;left:20px;top:80px; font-size: 15px; face: Calibri'>Adaware Web Companion helps you safely browse the web by blocking malicious sites and phishing scams.<br><br>....Block malicious threats by installing Adaware Web Companion. Improve your internet security and set your homepage, new tabs and default search to Bing. by Microsoft. on compatible browsers.</div>.. ....<input type='checkbox' id='webcompanion_installCheck' checked='checked' style='display:none'/>....<div id='webcompanionCheckIconDiv' style="position:absolute;left:20px;top:195px;" onclick='return webcompanionChecked();'><img id="webcompanionCheckImg" src="./img/checkbox-black-on.pn

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\bundle-webcompanion2-en.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):2610
      Entropy (8bit):5.175489598720475
      Encrypted:false
      SSDEEP:48:wUuiDjAXsI+tf7muDwVyAzfGiSySlq1Jvq2IcGXImYqRQnG52MpbZpSaQUM4vQIS:xu8EStfaFjGnyo28i
      MD5:0AB512819E3B4AF624ABF099E026C857
      SHA1:953CDD96269F5B5C367CBE6C914C10616E201610
      SHA-256:682488B97C19961DE3C14B32EBDFE90D9CB3D76F668B0C71115E500FE2D6D805
      SHA-512:3ED287207C151A45F1D836FBE986C1AE93FA7469FE3953984F61AD2621B657192405DC62C068B7BB4BA48B32CB604FA937867FDED9CA337E15B400C1A7A58268
      Malicious:false
      Preview:<div id='##PAGE_ID##' class='selPage'>.... <div style='position:absolute;left:20px;top:10px; font-size: 30px; face: Calibri; color: #42B2EE;'>Optional Offer | Adaware Web Companion</div>-->........<img src='./img/wc-logo.png' style='position:absolute;left:20px;top:20px;'/>.. .. <div style='position:absolute;left:20px;top:80px; font-size: 15px; face: Calibri'>Adaware Web Companion helps you safely browse the web by blocking malicious sites and phishing scams.<br><br>....Block malicious threats by installing Adaware Web Companion. Improve your internet security and set your homepage, new tabs and default search to SecureSearch by Adaware on compatible browsers.</div>.. ....<input type='checkbox' id='webcompanion_installCheck' checked='checked' style='display:none'/>....<div id='webcompanionCheckIconDiv' style="position:absolute;left:20px;top:195px;" onclick='return webcompanionChecked();'><img id="webcompanionCheckImg" src="./img/checkbox-black-on.p

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\bundle-yabrowser.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
      Category:dropped
      Size (bytes):1553
      Entropy (8bit):5.6827161111568865
      Encrypted:false
      SSDEEP:24:SVOHEk15JiQs7tcUr6S6Nj1W60kOKl/2EQOlfvBiGIUfGIS4+0BRRRh8JRRQVdb:mOHEk15JiQmb6S38OVUptIVIS4fRFGG
      MD5:4E7EA3F060C0601B24F133F8B9A186AF
      SHA1:5836A16D083998EA7037AD4CE4860F936F35CFA0
      SHA-256:73A0B0075106D27FA9777280F8F8FCFB879B95C4721D9FBAA6854C8AC4C7974A
      SHA-512:148E81B0C32E03AF7E968C7AC4D71DCC450D6C5FC9D46A77CA7E1CC9BC14005FE6CDE2516879717F28DABAE433B1B5CD0C8D843253780AF4D60F74C12B705A81
      Malicious:false
      Preview:<div id='##PAGE_ID##' class='selPage'>.... <img src='./img/yandex/yabrowser-title.png' style='position:absolute;left:220px;top:15px;'/>.. <img src='./img/yandex/yabrowser-plus.png' style='position:absolute;left:5px;top:105px;'/>.. .. <div style='position:absolute;left:90px;top:70px; font-size: 18px; face: Calibri; color: red; '>.......... ......., .......... ....... . ..... .......</div>.. ....<input type='checkbox' id='yandex_installCheck' checked='checked' style='display:none'/>........<div style="font-size: 12px; face: Calibri; color: black; position:absolute;left:15px;top:215px; z-index: 9999">........... "..........", .. .......... ............ .......... <a href='http://legal.yandex.ru/browser_agreement/' target='blank'> ...... ........</a> .....<a href='http://legal.yandex.ru/desktop_software_agreement/' target='blank'> .. ....

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\bundle-yasovetnik.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
      Category:dropped
      Size (bytes):1872
      Entropy (8bit):5.6999157790312465
      Encrypted:false
      SSDEEP:48:zOY1553YIX5PgiQYU6Sw8OS9IAIS44R7GG:zOYp3tzQNs8Vltv
      MD5:1AB73FECAB21C6CC4B22527B1AD5234C
      SHA1:4AD1F0BEAC7402FEE64565BD18B86E60E2574181
      SHA-256:5FBDCD9AB1DF58B0B5D530F6834F183C287DAB5CB46BB47D24BFB37357DFD7E5
      SHA-512:2462BEDDCE5CDEBC206104AB2BA28EEB86978F629DE231100A0939E70A764D813A4CFDD8B484DA3AF8C66AC493CA04696209A307C959FB847AFD078FA8018D0D
      Malicious:false
      Preview:<div id='##PAGE_ID##' class='selPage'>.... <img src='./img/yandex/yasovetnik-title.png' style='position:absolute;left:220px;top:20px;'/>.. <img src='./img/yandex/yasovetnik-screenshot.jpg' style='position:absolute;left:330px;top:75px;'/>......<div style='position:absolute;left:30px;top:75px; font-size: 18px; face: Calibri; color: red;'>....... ...... .... .. ......</div>........<div style='position:absolute;left:30px;top:110px; font-size: 14px; face: Calibri'>............ ........, ..... .. ..........<br> ............ ......, .......... ...<br> ............. . ........ .............<br> .......... ........-.........,<br> ..... ........... ..... ...... ........</div>.. ....<input type='checkbox' id='yasovetnik_installCheck' checked='checked' style='display:none'/>........<div style="font-size: 12px; fac

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\first-page-en.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):9681
      Entropy (8bit):5.150565791535141
      Encrypted:false
      SSDEEP:192:oGPsp1sugDG1Vv4WxVAxVLip75+L8+oiB48oqNC:oeUpgDG1Vv4EAxVLip75+L8+oiB48oqU
      MD5:3CEA2EB18AB74B059DB23F3489DAF74D
      SHA1:2DA9598C0C6BCEB9929AC3C4C484665C4EC25B4E
      SHA-256:F7BF37699F6A08BC2053BD72064C4CF61FDF5F34F2344372341A90EE784079CE
      SHA-512:B35BF6FF0D73FB61C4AAB46703B57F311A64602D245C1923E40946B836D06D7E85276DE29A8F2EF94F8FEA66DF68B76AE6B5CD08E2DD345461415426744D7615
      Malicious:false
      Preview:<div id='##PAGE_ID##' class='selPage'>.. <div style="position:absolute;left:660px;top:7px;cursor:pointer" onClick="##CLOSE##"><img src="./img/close.png"></div>.. <div style="position:absolute;left:40px;top:40px;"><img class="mediagetLogo" src="./img/mediaget-logo.png"></div>.....<div style='position:absolute;left:230px;top:30px; font-size: 20px; face: Calibri'><b>Fast downloads</b></div>.....<div style='position:absolute;left:230px;top:70px; font-size: 14px; face: Calibri'>To continue with installation just click "Continue"</div>..... .....<div id="closeLabel" style='position:absolute;left:230px;top:140px; font-size: 14px; face: Calibri; color: Gray;cursor:pointer' onClick="##CLOSE##" onmouseover="return mouseOverClose()" onmouseout="return mouseOutClose()">Cancel</div>.....-->.....<div style="position:absolute;left:310px;top:128px;cursor:pointer"><img id="nextBtnImg" src="./img/next-en.png" onClick="##NEXT_PAGE_BUTTON##" onmouseover="return mouseOverNext()" onmouseout="return

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\first-page-new-ru.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
      Category:dropped
      Size (bytes):12253
      Entropy (8bit):5.1663969930349305
      Encrypted:false
      SSDEEP:192:8pcaap5OWpgx6J9W2boJfTzWICQWJxyniIiRiq9Yh6zndIdRdqJRI7k:8pCHtze7aZQcM7qR9Yh6L2HcJRI7k
      MD5:6BB07D6FF02DC6398F9520EBBF8B6D07
      SHA1:7AF435C6AD36169432CA636044230DC3A367EF04
      SHA-256:FC3A415E1D6F764351B99639A03E32631C3525A3BA54D72DA0492232110152FF
      SHA-512:79329E2164A7B88AC0CC096349196559473DA5CBB6BF5084EA8255F608807D3A144F5E1AE536206AB8592471EF0214D5823339C1B3FB3BBE8FAA3C40D866B777
      Malicious:false
      Preview:<div id='##PAGE_ID##' class='selPage'>..<div style="position:absolute;left:10px;top:10px;"><img src="./img/mediaget-logo.png" height="30px" width="30px"></div>..<div style="position:absolute;left:660px;top:7px;cursor:pointer" onClick="##CLOSE##"><img src="./img/close.png"></div>.....<div style='position:absolute;left:160px;top:15px; font-size: 20px; face: Calibri; color:DarkSlateGray;';>........ ........ ...... MediaGet</div>.....<div style='position:absolute;left:80px;top:50px; font-size: 20px; face: Calibri'>... ......... ..... ... ........ ...... ..........</div>..........<input style='position:absolute;left:40px;top:90px; display:none' type='checkbox' id='addFirewallExceptionCheck' checked>.....<input style='position:absolute;left:40px;top:110px; display:none' type='checkbox' id='addWindowsAutostart' checked/> .....<input style='position:absolute;left:300px;top:80px; display:none' type='checkbox' id='addFilesAssocia

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\first-page-ru.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
      Category:dropped
      Size (bytes):11957
      Entropy (8bit):5.207621051207641
      Encrypted:false
      SSDEEP:192:IGFgb2gx6J9W2boJfRRluYFWTcXWXfyniIiRiq9Yh6zndIdRdqJRI7U:IQeLjWTcX8M7qR9Yh6L2HcJRI7U
      MD5:E8E3D64CD3CE18A45DA3FA3D078644D6
      SHA1:C03C8D2F81998C119D628D60EBB6B48F19F97D12
      SHA-256:DBB588446AB6A0FD4993FC385D7E4A50BEF75F3698827F223886FED8E3A0E3D9
      SHA-512:E6496C45801686EB78C5047EA36E81B845890F68E6F5F9138DBE940829B246E7FE6C09564A20252C697417DBD762C9E40915F55C7C08D0AF84753F235E18592E
      Malicious:false
      Preview:<div id='##PAGE_ID##' class='selPage'>..<div style="position:absolute;left:660px;top:7px;cursor:pointer" onClick="##CLOSE##"><img src="./img/close.png"></div>.. <div style="position:absolute;left:40px;top:40px;"><img class="mediagetLogo" src="./img/mediaget-logo.png"></div>.....<div style='position:absolute;left:230px;top:30px; font-size: 20px; face: Calibri'><b>....... ........ ......</b></div>.....<div style='position:absolute;left:230px;top:70px; font-size: 14px; face: Calibri'>... ......... ..... ........ ...<br>........ ...... ..........</div>.....<div style="position:absolute;left:280px;top:128px;cursor:pointer"><img id="nextBtnImg" src="./img/next.png" onClick="##NEXT_PAGE_BUTTON##" onmouseover="return mouseOverNext()" onmouseout="return mouseOutNext()"></div>..........<div style="position:absolute;left:40px;top:200px;cursor:pointer; z-index: 9999">......<div style="font-size: 14px; face: Calibri; color:

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\first-page-tr.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
      Category:dropped
      Size (bytes):11738
      Entropy (8bit):5.0483804223524995
      Encrypted:false
      SSDEEP:192:kHANJVgx6J9W2boJfRUg0Xm3onWsuyniIiRiq9Yh6zndIdRdqJRI7g:LPeQm3onSM7qR9Yh6L2HcJRI7g
      MD5:04CDFA7E072948AFF164E2E347AE077E
      SHA1:E8576D046AA7286BEDB374B52B5FB66C660AA34E
      SHA-256:4DDB2B7255D3AC03DA234A34971E1EF5E5DB8710CAC2C8BD3F7644F67C9DFED6
      SHA-512:EA38EAD19B6792361F72F359D53D1F68D9A479D49A6DFC299315AE8FF52570279FD821F6B472F0DFD6BD220274C3F6221E4346835DB34E35D81088610395D698
      Malicious:false
      Preview:<div id='##PAGE_ID##' class='selPage'>.. <div style="position:absolute;left:40px;top:40px;"><img class="mediagetLogo" src="./img/mediaget-logo.png"></div> .....<div style='position:absolute;left:230px;top:30px; font-size: 24px; face: Calibri'><b>##TITLE##</b></div>.....<div style='position:absolute;left:230px;top:90px; font-size: 14px; face: Calibri'>Medya i.eri.ini indirebilmek i.in "devam" 'a t.klamal.s.n.z</div>.....<div id="closeLabel" style='position:absolute;left:230px;top:140px; font-size: 14px; face: Calibri; color: #BEBEBE;cursor:pointer' onClick="##CLOSE##" onmouseover="return mouseOverClose()" onmouseout="return mouseOutClose()">Iptal</div>.....<div style="position:absolute;left:300px;top:128px;cursor:pointer"><img id="nextBtnImg" src="./img/next-tr.png" onClick="##NEXT_PAGE_BUTTON##" onmouseover="return mouseOverNext()" onmouseout="return mouseOutNext()"></div>..........<div style="position:absolute;left:40px;top:200px;cursor:pointer; z-index: 9999">......<div sty

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\yandex-stuff-new-ru.txt

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, Unicode text, UTF-8 text, with very long lines (357), with CRLF line terminators
      Category:dropped
      Size (bytes):955
      Entropy (8bit):5.575059197703277
      Encrypted:false
      SSDEEP:12:FRgQM0g8U+SskX9Dl1b1c5A0KbYz6+SskAmKa2AlABAEdEtlFBRJAlA7Eep6AbzY:TWP83ShN51W60K0Sh/BLlfjBROlwBg
      MD5:EFE8B553B302B54B8B3B36442C7F92E9
      SHA1:A79AD2B9FD9783C83C21982F205408D914490A00
      SHA-256:0F65B9A2883FFAFBFA7FDA230F6DB26A35D3683218B6162CC46C3BA483E6E752
      SHA-512:EF465E312B752FE100217D8F73C68AD1DB76A714DF5EBE1F89F4032CF5606A640FF40E4F835BB35C2964842584E6DC950ED7C869CED6FB1EDA7AD65C8478D476
      Malicious:false
      Preview:<div style="font-size: 10px; face: Calibri; color: gray; position:absolute;left:40px;top:240px; z-index: 9999"><img class="mediagetLogo" src="./img/yandex-logo-ru-gray.png"></div>..<div style="font-size: 12px; face: Calibri; color: DarkSlateGray; position:absolute;left:160px;top:235px; z-index: 9999">....... "..........", .. ............ .. .........:</div>..<div style="font-size: 12px; face: Calibri; color: DarkSlateGray; position:absolute;left:160px;top:255px;">... .......... ..........:<br> ..<a href='http://legal.yandex.ru/desktop_software_agreement/' target='blank' style="color: DarkSlateGray;">........... .. .......</a>,<br><a href='http://legal.yandex.ru/browser_agreement/' target='blank' style="color: DarkSlateGray;"> ...... ........</a>,<a href='http://mediaget.com/license' target='blank' style="color: DarkSlateGray;"> MediaGet</a></div>

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\yandex-stuff-ru.txt

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, Unicode text, UTF-8 text, with very long lines (487), with CRLF line terminators
      Category:dropped
      Size (bytes):788
      Entropy (8bit):5.550513698850116
      Encrypted:false
      SSDEEP:12:Fti4XUM0VdUR4w9Dl1b1c5A0F2rlJAlABAEdbacBhIFGAlAzbepU0HYzHPo:G4Vus4Q51W60F20lfWNBhIF7lG62TPo
      MD5:68E589AB2C32A2E08AC8F80D997A1087
      SHA1:84A7C3C9DD72A4859DAEFA41E849B792A60B03FD
      SHA-256:D5D56F2F71A322AFB4C931ABCE9C7FF82B75C7107A145BEAE535C9887935169B
      SHA-512:FD3F94CC1088E241D000DE46BDBFBB7F818EC62E9FF54BD000A153CB41B182BE420B914EB5794EA7917C5842E3D010264072B3DEFF4FD70692CA68BDE6AC9F9C
      Malicious:false
      Preview:<div style="font-size: 11px; face: Calibri; color: Gray; position:absolute;left:40px;top:235px; z-index: 9999"><img class="mediagetLogo" src="./img/yandex-logo-ru.png"></div>..<div style="font-size: 10px; face: Calibri; color: Gray; position:absolute;left:160px;top:230px; z-index: 9999">....... "..........", .. .......... <br> ............ .......... ...........<br> <a href='http://legal.yandex.ru/desktop_software_agreement/' target='blank' style="color: Gray;">.. .......</a> . <a href='http://legal.yandex.ru/browser_agreement/' target='blank' style="color: Gray;"> ...... ........</a>.<br>.. ..... ......... ....... Chrome <br>..... ............</br></div>

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\yandex-stuff-tr.txt

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, Unicode text, UTF-8 text, with very long lines (456), with no line terminators
      Category:dropped
      Size (bytes):466
      Entropy (8bit):5.1827473712588885
      Encrypted:false
      SSDEEP:12:FR4XUp3CSBJAlGAEdbSKAlIbVSzZOuq6RXPL:T4IOlpWWlIpSzZY6xL
      MD5:BC602FE860B934B83DC7A39CA5119626
      SHA1:EB8CBF076D5ABD2909EF2841DE2A6DCEB81C10A5
      SHA-256:0CB2310C38DB9F50631C29054E35A9AADA1BF0D205FA041D67FBCED29128EEDE
      SHA-512:BCC7121731B90910D4C85D2F841A5319F14DFA0D3A47FDC32450449EC400A711000BFB1A42FBAC4AF9ACBEDFBC7EDF87C09D0288E9B59AAFCAE8A667DDF6EA3D
      Malicious:false
      Preview:<div style="font-size: 10px; face: Calibri; color: Gray; position:absolute;left:40px;top:235px; z-index: 9999">"Devam" butonuna t.klad...n.zda, <br><a href='http://legal.yandex.com.tr/desktop_software_agreement/' target='blank' style="color: Gray;"> Yandex</a> ve <a href='http://legal.yandex.com.tr/browser_agreement/' target='blank' style="color: Gray;">Yandex Browser</a> lisans s.zle.mesini kabul<br> etmi. olursunuz. Chrome yeniden ba.lat.lacak.</div>

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\cancel-en.template

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:exported SGML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):677
      Entropy (8bit):5.381720504085217
      Encrypted:false
      SSDEEP:12:8HyOcGiMqLySb86pVXq2ySb86euXmyxlqZgIe1myOZg4v4:onDub86pxxb86BFcgIayg4v4
      MD5:E57D564FA41ED5EA0A7F7A9852A63FA4
      SHA1:0B60EDE6A53241A7890B699A64D6353449EC9511
      SHA-256:7B33A1645C15771B863D6C6C1AF1C8EFFBA22FAD9DED94E6F67F2DF1BECD0B66
      SHA-512:A400D0820F2F8FB34A32BFC309F1568D090F91F671C4E7E659D3912E13CB1BE4819C3A653088562AC0C82E6BBEEE64A0B42CDCA5C3DABCA7C648E21A91F0E0A8
      Malicious:false
      Preview:<div id="##PAGE_ID##" class='selPage'>...<div style="position:absolute;left:0px;top:0px;"><img src="./img/cancel_page_simple_en.jpg"></div>.. ...<div style="position:absolute;left:660px;top:7px;cursor:pointer" onClick="##CLOSE_BUTTON##"><img src="./img/close.png"></div>..-->...<div style="position:absolute;left:660px;top:7px;cursor:pointer" onClick="##CANCEL_BUTTON##"><img src="./img/close.png"></div>...<div style="position:absolute;left:410px;top:210px;cursor:pointer;" onClick="##CANCEL_BUTTON##"><img src="./img/yes-en.png"></div>...<div style="position:absolute;left:120px;top:210px;cursor:pointer;" onClick="##TRY_BUTTON##"><img src="./img/no-en.png"></div>..</div>

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\cancel-tr.template

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:exported SGML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):677
      Entropy (8bit):5.381720504085217
      Encrypted:false
      SSDEEP:12:8HyOcGiMqLySb86pVXq2ySb86euXmyxlqZgIe1myOZg4v4:onDub86pxxb86BFcgIayg4v4
      MD5:E57D564FA41ED5EA0A7F7A9852A63FA4
      SHA1:0B60EDE6A53241A7890B699A64D6353449EC9511
      SHA-256:7B33A1645C15771B863D6C6C1AF1C8EFFBA22FAD9DED94E6F67F2DF1BECD0B66
      SHA-512:A400D0820F2F8FB34A32BFC309F1568D090F91F671C4E7E659D3912E13CB1BE4819C3A653088562AC0C82E6BBEEE64A0B42CDCA5C3DABCA7C648E21A91F0E0A8
      Malicious:false
      Preview:<div id="##PAGE_ID##" class='selPage'>...<div style="position:absolute;left:0px;top:0px;"><img src="./img/cancel_page_simple_en.jpg"></div>.. ...<div style="position:absolute;left:660px;top:7px;cursor:pointer" onClick="##CLOSE_BUTTON##"><img src="./img/close.png"></div>..-->...<div style="position:absolute;left:660px;top:7px;cursor:pointer" onClick="##CANCEL_BUTTON##"><img src="./img/close.png"></div>...<div style="position:absolute;left:410px;top:210px;cursor:pointer;" onClick="##CANCEL_BUTTON##"><img src="./img/yes-en.png"></div>...<div style="position:absolute;left:120px;top:210px;cursor:pointer;" onClick="##TRY_BUTTON##"><img src="./img/no-en.png"></div>..</div>

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\cancel.template

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:exported SGML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):669
      Entropy (8bit):5.380023504221536
      Encrypted:false
      SSDEEP:12:8HyOceqLySb86pVXq2ySbIeuXmyxlqZgIedmyOZg4QUd4:o1ub86pxxbIBFcgI4yg4v4
      MD5:CA9BB2A0A69D0EABBF616D0BE35CECD1
      SHA1:687DF9984B88C6F394D2D8BE64A0AAEF1A3E8CC7
      SHA-256:7A4F5103E8B7A7EDE0A08FDFED809037256BB989197D1D45F57ED8ABD68EA0D5
      SHA-512:CF838F765DE0FBFCC7AB16BCA9FF7043B5BFF738B513E9ECBD49C932CF2E3E5CB9440DE5F36A4461FDC26E2528A44FF3B0BB4887BE1A3E7F5838CBAA392B688B
      Malicious:false
      Preview:<div id="##PAGE_ID##" class='selPage'>...<div style="position:absolute;left:0px;top:0px;"><img src="./img/cancel_page_simple.jpg"></div>.. ...<div style="position:absolute;left:660px;top:7px;cursor:pointer" onClick="##CLOSE_BUTTON##"><img src="./img/close.png"></div>..-->...<div style="position:absolute;left:660px;top:7px;cursor:pointer;" onClick="##CANCEL_BUTTON##"><img src="./img/close.png"></div>...<div style="position:absolute;left:410px;top:210px;cursor:pointer;" onClick="##CANCEL_BUTTON##"><img src="./img/yes.png"></div>...<div style="position:absolute;left:120px;top:210px;cursor:pointer;" onClick="##TRY_BUTTON##"><img src="./img/no.png"></div>..</div>

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\360_offer_small.jpg

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS6 (Windows), datetime=2016:03:21 12:57:40], baseline, precision 8, 680x232, components 3
      Category:dropped
      Size (bytes):30507
      Entropy (8bit):7.451190034170032
      Encrypted:false
      SSDEEP:768:xcBDGrp2k5iA/cIFpQVRP8YRhA3LosCiU0:hrp2kZFpQbjRh+CE
      MD5:0CCF12B7766E6B9F8ADA1D837C87BEFC
      SHA1:63A712AD7E7CB8B710EEFF215D3C164C777AEAD8
      SHA-256:8B17DF1B2DDA0E59878F23E75AF2681A5C9CCBAE40E504532733A835C4450140
      SHA-512:E51607C9DD548DC8F0C77DC6C4946A541E5ADF35C848079A9D8987AEF26283C46093D79E289C31AE12B2D2E7F9286971DB3E02ECA9CCB0C7CDF942F22DA706CD
      Malicious:false
      Preview:......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS6 (Windows).2016:03:21 12:57:40..................................................................................&.(.........................................H.......H..........JFIF.....H.H.....C.....................................%...#... , #&')*)..-0-(0%()(...C...........(...((((((((((((((((((((((((((((((((((((((((((((((((((......7....".......................................<.........................!.1A.Q."a.2q...#...$BCRU...3r....................................,.......................!1A....Ba..R.."#Q..............?..-.i.X..>O`<..V...e...Z[....0'.)....>..8..Ky..),l.Xw.Q.Z.....,.dS.LJ#.x...;..{W.w_P.........7....i.7m.<.c.'..<z...H R.C.$S.Wp.>.B_.....9.....VE=..M(PA.9.8..N).sr.nt{Z!4.D..l-[.........G....;R..[.....>.T...\..t..F.H.<c..Bk..f...`.....q..}..L...M...I<j.H....7...@2}+BR.0........EX/t.B.A..T0.. ....,q

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\accept-en.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):4499
      Entropy (8bit):7.925436237660937
      Encrypted:false
      SSDEEP:96:bSMllcHitlIxv9vk7C1+I4wWHLihk/xXasz5Hg8DvRyN:bSHIIHUCD4wadasdfyN
      MD5:1D6E2B901F7145832E4FA54C57A5BF77
      SHA1:BDC34E2535610AE1E54FD4F0A1931CCA753182F0
      SHA-256:BF8F91B944B9D437FE83974096C4F3D2AD93991690FA0A6D25002BE713AAB651
      SHA-512:D1EB04DF6D260E31E3549BCF01DB33C7F843624AE4A33211BB0B5A762A591F4531DACA49E33CFA6F30EA4BF21A2805D8E93D6CB5353BC9BE5756AA56829FBB97
      Malicious:false
      Preview:.PNG........IHDR.......(.....Wi......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\accept.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3935
      Entropy (8bit):7.90263688431469
      Encrypted:false
      SSDEEP:96:bSMllcHitlIxv9vk7C1+I4wWHLihk/xe+4+J0ItuLOSsCM/:bSHIIHUCD4wav4+J0ItUsb
      MD5:6974CD17749849D5AAE93AF0A2D5C460
      SHA1:3826D9AB26FE22D3F93583C556A560198AE6D72E
      SHA-256:3A505EF15D53235CC633A6137B8232C48825677391CCC911B90ED8FA911BCF19
      SHA-512:B634BEAA392E174208724BD02D3EC9CF7D6E3C446DC279EB5AF1814B6C88712120C01A35C9BF6C7F732D92600286B339574B2B519DA2AD070963EEF3C7340A75
      Malicious:false
      Preview:.PNG........IHDR.......(.....Wi......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\avast-screen-en.jpg

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS6 (Windows), datetime=2020:04:15 14:04:14], progressive, precision 8, 680x320, components 3
      Category:dropped
      Size (bytes):60483
      Entropy (8bit):7.736136999624722
      Encrypted:false
      SSDEEP:1536:2iZOVTiZOVBsolblEPlI54bwQJWr/JtI/orrPL:2fVTfV/YdS4bwXIgrrj
      MD5:14E0F07D43D39C8BA158782CAA28E1FE
      SHA1:D10F33A86EF44C46861688379690D841C51A735D
      SHA-256:9C170036649A9DA9ABCD7EBE6931BC8E9E1E8070C7DDA821F06CB4A69F87296E
      SHA-512:4A1CF493BDCB09FB9CB594B4BC70D8E6439C95A70C26F07F758C2A55C988D24D49019C9D89907BB485A164DCFC0C45922E730CBE1DC5C2376A58BA08C22D782B
      Malicious:false
      Preview:.....:Exif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS6 (Windows).2020:04:15 14:04:14......................................@...........................................&.(.........................................H.......H.........XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC http://www.iec.ch............IEC http://www.iec.ch....

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\avast-screen-ru.jpg

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS6 (Windows), datetime=2020:04:15 14:03:49], progressive, precision 8, 680x320, components 3
      Category:dropped
      Size (bytes):56837
      Entropy (8bit):7.799998050440673
      Encrypted:false
      SSDEEP:1536:OsfJ7j1McItevM3kLe42ikc+9yZyuvT5pFoWFuV:hDMcwefe6+9UyuvT5S
      MD5:106667145B71B8CB7369B3BBC09EE1ED
      SHA1:F4D341034C19AD77EC0E41230EE3B907D0F02321
      SHA-256:7A008591B88E5409DCF908AAB375E5557A9FBD8F61058F949012C69015B7ECAE
      SHA-512:8E8408EE55B312DE1A2607CE6CC6EF7E46BD3A707AF40FDBFD38C1347AEAE1AFF0AA214666D1F08C7709826387FF40EEB90D36871C89E09532CA5E085EEF81CD
      Malicious:false
      Preview:......Exif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS6 (Windows).2020:04:15 14:03:49......................................@...........................................&.(.........................................H.......H..........Adobe_CM......Adobe.d.................................................................................................................................................K...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?......pk+is.04Y....i{..7=..^;...~.....9.*......MO..l......Z7...$*.u.......T....=.+,.6...nM...._.Za..H.K./......J...73\3.._.j..&<{12..n.X.\......V.3..

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-cancel-grey-en.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3479
      Entropy (8bit):7.896434420518669
      Encrypted:false
      SSDEEP:96:bSMllcHitlIxv9vk7C1+I4wWHLihk/xX+XF854m3:bSHIIHUCD4wax+eWm3
      MD5:B763B80BA47497BD8DFBC3758A31CBA7
      SHA1:5CC664E75D68C1484726815A0BA81D2C7A3FE30C
      SHA-256:4FB6BF93445C6E987D988F9E3ACA6A8380A56F8AFDBAB4940EE69FD20E82B457
      SHA-512:6FF42A9DCE2FF90614BBB1135A3DD311A5D3F65616964DD7207D8ADCD0B9314ECF56965D17763F72664E091B95161F5DF509ECD384AA57B8AD708285C5192DCD
      Malicious:false
      Preview:.PNG........IHDR.......(.....Wi......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-cancel-grey.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):4359
      Entropy (8bit):7.913299632309897
      Encrypted:false
      SSDEEP:96:bSMllcHitlIxv9vk7C1+I4wWHLihk/xLZjVtdpLyNGb9DvVLB6/:bSHIIHUCD4watHtdeGxNBY
      MD5:3E44D126179E4FEFDE781534458337D8
      SHA1:C00B6C28E7B2D79834822E165C42A1BA46E0E04B
      SHA-256:B1CB1F753910CE1AF9445FC559970D5ECF918C3BA589EE2F98D568727C38B250
      SHA-512:80FF1C4F512D7D21701DB077B3961F2A59DFAAE8AEBEFB0AF841DA6F442C5317B595448E18A2C0E11C27E2AE8F8578CB719BAF2DA962CB08CAF8BF4E64981C9B
      Malicious:false
      Preview:.PNG........IHDR.......(.....Wi......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-cancel-tr.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3300
      Entropy (8bit):7.879764416710231
      Encrypted:false
      SSDEEP:96:bSMllcHitlIxv9vk7C1+I4wWHLihk/xPqNGpqxpf6:bSHIIHUCD4wadqNGwxd6
      MD5:A654BA9FD8904DFAFD090B09D42DFF13
      SHA1:853C66E60697F3ED2F9D6B79C3C5B07362DBDA02
      SHA-256:B168C81582AAB262A7683B4EDE2796F2B07B7DD5B20C256BA09CF2A9DF9865B0
      SHA-512:C0F13CA919184B3736E6254861E58D565D679C7206E6395F02AC798346693A289E545BDF31CA8A815CD5A22B8A0B63E6130E45C9CC91043900DA81C9A0FC6AF8
      Malicious:false
      Preview:.PNG........IHDR.......(.....Wi......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-cancel.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):4568
      Entropy (8bit):7.93453321447606
      Encrypted:false
      SSDEEP:96:bSMllcHitlIxv9vk7C1+I4wWHLihk/xQtNuFZ4kr9jhQFjkRWAp:bSHIIHUCD4wa+tNuFekJEmWk
      MD5:FF072DFE13633B9E50675D7D68A90313
      SHA1:DDCCBAE1A3FA851C448D521F5269A480C98D76DD
      SHA-256:D16E4B93290D8E12AFAA50C55ADEC23D8F1396D790D19D9B1FEB533EDAD7549B
      SHA-512:5642C0BACAA26BD518868C66C008BB82C1300551CC80AA3D8530878FA7A04A6165315994698A4ABA714A6F9E78E4959A9C38E656F78E5D3ED0430E325DC3DBC8
      Malicious:false
      Preview:.PNG........IHDR.......(.....Wi......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-en.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):4314
      Entropy (8bit):7.917177368893782
      Encrypted:false
      SSDEEP:96:bSMllcHitlIxv9vk7C1+I4wWHLihk/xytObk36ZfuQfcAE9mwJwo9U:bSHIIHUCD4wai6haA4m3
      MD5:5F7599F93FEB5A69A267A97115D5E9B7
      SHA1:BECC65EEDBD499A478C671E91C9FD7AF25BDE0E3
      SHA-256:267C56377617DA011B90FC05DFB836EE19678033A9AB642FDA42A68F212D775A
      SHA-512:4D43BBAFC54E36ADC8F43D26392DDF6E9B2D0445C527E93ADE1B88F5FC811578084828CC1730CC8ADD15B7D19FCD7C949C921F1C478FD75049CAC0DDF08167F2
      Malicious:false
      Preview:.PNG........IHDR.......(.....Wi......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-green.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 206 x 62, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):1626
      Entropy (8bit):7.708694112589448
      Encrypted:false
      SSDEEP:24:TME2IGijqWq72LbOnbNsIA9MBbLgfjbcjhgbQ46MIwkJRneGp234ZqvjlYITA9JX:T9GiRquObN0+ujbHaMI1yLcAhYrvP
      MD5:6D99956B38246482EBAAACF875FCB680
      SHA1:757ACA17309ECABC50A533491A15F294CEC5366A
      SHA-256:14BDF8206611F5D3409067DD41E8CB6746600F5BDCC03C28D70E21478C4A4B5D
      SHA-512:475A0D164AFE11EF3891CAE6D6DE4410168EDA803023E9FB0BAE86B42BA64C66893BE093FD2EED02CD719AFBC9BC49388768CB5F7EDE76592EE66A453967F8A0
      Malicious:false
      Preview:.PNG........IHDR.......>.....c.$.....sBIT....|.d.....IDATx^..h.U....bc.I..(%c.l-i..a+......x..!Q......K...H.#..FD..2jw$X..s.*...(l.j.xof#..x.:....v.s......k.g..~...s..r.DD.2.k..v!E#.......@@# )+...$;.V......6......@.H.bb.Hfjz..eE..a P..$.#".Id.Q..i....I@..D*..E...@...#.qP. `@...@....8...0 .q..a..@.......8..0.. .j....@..h.....5.... ..4..................A......c..C@...@....1..! .qP. `@...@....8...0 .q..a...Z..k...k.......5..._..............0".[q..~..o.N...C..x........&.Kq.k......=...?s...;G.%......}2.Io.{....W..@,....Z.Vy0X.m...&uC......p..<.@.{a.O.....'..4s.~.0]q...y.....O-.MM......8.kw........j......;s...k..;..F....]s......b0 ...k.j......wO......W.9..m..Qc.._........aA.......hAMs.i..zhG..)E.*Nz.~Z4w..>.S.........X....;.......G'w.5...S.......o...Qb.Pj....Wr.M....h.....*....h..N..:.D.'(V}.R..>.<...J/A7.B,..*.g#L...%.8.|..M-.xY.~....y...Tq..}w(M.......S.n.K5.e...........!N..R.K9...J.xY.r.....q2..=....K_.8..A.f.}.....Tq.XT{.....7.......Kq....w...

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-installation-en.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):4991
      Entropy (8bit):7.928803006278162
      Encrypted:false
      SSDEEP:96:ySMllcHitlIxv9vk7C1+I4wWHLihk/xbuDjYU2OmVCXz6g7GBWeFMD8P:ySHIIHUCD4wautmVCVyB3FV
      MD5:943E1EA5CEC617A488BA0243977B108E
      SHA1:C85EB79D8C92328075798C7C3F622895E311A6B3
      SHA-256:9F4E10337AFBCBD927CD445C285FF48CE47F3C2EBF04E6A9AFD271BBA3BDBFC4
      SHA-512:E5E1202435463452B1C318323592A28AE81E2E2B0E6372EAD28D23534F217B3D4F66376A0A1165A16870AB4D10C349064E5A0F416182BE841E37B4EF884B0419
      Malicious:false
      Preview:.PNG........IHDR.......(.......G]....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-try-en.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3985
      Entropy (8bit):7.909025723521929
      Encrypted:false
      SSDEEP:96:bSMllcHitlIxv9vk7C1+I4wWHLihk/xkHRrWd+GxgUrQ:bSHIIHUCD4waGxKkGNs
      MD5:B3DD5AD11C8B9F0163596FF34F96FC51
      SHA1:8BC6E3F265D1678CB06BBE1F1033836C689BF6D2
      SHA-256:9ABBC64E23EF322032018D48C01650F375AC16D0FE1717ED169405DDFB416F65
      SHA-512:A52B3B96F93AB6623C969E20621617851716D3ACC1908A932A7CAED912F5E2212D5C1DCB03458ACDD23784731A1E615B29E5EC59E9A46556B1258C948EFFEC95
      Malicious:false
      Preview:.PNG........IHDR.......(.....Wi......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-try-tr.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3883
      Entropy (8bit):7.906842992589639
      Encrypted:false
      SSDEEP:96:bSMllcHitlIxv9vk7C1+I4wWHLihk/xojdj6AKDC/DsRUb2:bSHIIHUCD4waMF6ARbsRUb2
      MD5:7B2A7E4182325D1F6ECF4AB3A804CB9B
      SHA1:A7DD7E31AA3139A7E93996BD8445C4E10045F30C
      SHA-256:9AC72796032C936D1C4DF6F3560A6D90E793ABED7166A1A9BA7CB205FF71025F
      SHA-512:7032FB6226E863E25CB981CC776C8BAC1070361C59044023D6C9B399A85B0C311F6B591E71F053D29FDA45E4A6867AE2BFE01519809BCD84147D6DBE859CFB18
      Malicious:false
      Preview:.PNG........IHDR.......(.....Wi......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-try.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):4257
      Entropy (8bit):7.911489962328254
      Encrypted:false
      SSDEEP:96:bSMllcHitlIxv9vk7C1+I4wWHLihk/xZvxPex2dpCl4:bSHIIHUCD4wa1dyC
      MD5:0C20E488CB0E79CCD4668387E84F9C1E
      SHA1:D656AACB334753D641352CBDAE28E7285EF1D8FB
      SHA-256:9BD84EDBDFE0BA75B4D067C335DE6D3DAD90E203EA12915F9A67DBB402437CEA
      SHA-512:335CE68F563148ADEA6B33D0BB295AF109D28850C7F3C8AF78BDA5F58C545D3674532732763C0B5CBAF63149F24399212ADC6D07B3CAEAC90897650CA39EE838
      Malicious:false
      Preview:.PNG........IHDR.......(.....Wi......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-white.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 206 x 62, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):1492
      Entropy (8bit):7.677563509243536
      Encrypted:false
      SSDEEP:24:Tc/WHRyNVIQtc1U4zyX8XI/9xqYZmzgVxkE+hZgtNMcgOB98EO9Q766ww6ww6wwY:TgWUdGI3qDnE+hZaM1OIE6QuGGGGn9
      MD5:29FB1E2193E89A21ABE4630B14F88DDA
      SHA1:E68AC71D0101B1B34875B11C4273093A151B1FC9
      SHA-256:793CC89013DEDCB1E1F4B8E4DE2C696BD87F60AEB4450D9B99F1C1E8F09E8739
      SHA-512:F4A76AB2BFAE58C10974ED6881E8D3748474690B2D67F04ED10722E6E6DC82F693381C15E652AEADCC8EA5F294C16DEA1C4DBD5535B6CE10D3A66B904B06294B
      Malicious:false
      Preview:.PNG........IHDR.......>.....c.$.....sBIT....|.d.....IDATx^.MK.K...A..#(.~...A..$(.....K......!.paP".\(.&...#.*.".T2..A.p....t...{oU...L...<.<}.j....A..........x............\.{...O......@..>.8?.|(y.......q......@..."NP.p.$..P.(....,.P..h.B...5@...(..4N!.... ...........a......c..SH...H......)$@qX.$`A..X@....8.... @q,.q..P....X..8..8..(.k..,.P..h.B...5@...(..4N!.L.sww...c<<<...Ie..........Bgg'+....dV...k......5.Lkk+....q..&.Iq.......444....555......e..CCC...}.U.O..@&.988...!.LOO..9??....z.......0_K.XWW......u....<??.o...X.GGG.......GOOO..{{{j.\.|3.......1I...=.......F?K....L.....|>..#.<.kuu5,Z.G:..).8.oZXX...Ih....._......."..ggg.WWW..(N..fR....p)..t......522RpP.T..w..}}}...WC.."..c.8d....555arrR...9sss..V....jv)...{Ey..f...Iq....l$.S.P.#.7.nz.'.".frI..r.8..NLL...E.5...\q$.....d.._^^....|Y3)...qdi..S.,.=..[."...........4....\.....+...>........IqJ..w....9n).Wd..pxx..."..]...AuuuQq.K.]......l..).O........~||..."...T.~.}..G.Iq..T....R.r.S5.]......"

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\cancel.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):4154
      Entropy (8bit):7.910770766730817
      Encrypted:false
      SSDEEP:96:bSMllcHitlIxv9vk7C1+I4wWHLihk/xOihQOFNf62or:bSHIIHUCD4waMVOFNf6N
      MD5:9ED03195F26D875220702B075E29C6C0
      SHA1:CA402040918A23EF5C967FD505E5BE1087DB3D9A
      SHA-256:1BC28C53F21A5E0083B9C2D2B959539B97C78920102D5A06059F4DCA867473A6
      SHA-512:C4845FC722057950D06077324A560A5694FBEE913E8E98658A13788B4A3C93EBF5776657BAEF623D1DF2DDB421EB560A121EF6E5F2ECBE2D21EF24D81111E16A
      Malicious:false
      Preview:.PNG........IHDR.......(.....Wi......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\cancel_page_simple.jpg

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=12, height=310, bps=0, PhotometricIntepretation=RGB, orientation=upper-left, width=680], progressive, precision 8, 680x310, components 3
      Category:dropped
      Size (bytes):21833
      Entropy (8bit):6.917213946073042
      Encrypted:false
      SSDEEP:384:ftCiiG3vng/LiBYNg78yWGBuubtz2Iy9BYkurorSZT:ftCiF3vxYyPRTtztyfYkAosT
      MD5:0523F7FA41CC8349774D7336B8E9DBCB
      SHA1:8DA9C5BBD51A366DCF3BEF18C471EA8EE5AE3056
      SHA-256:F63B4CA1BC7AEC4B98DCA35C9112FCB5065C362F33760CA520DEF2E8A1A933E1
      SHA-512:942DF5EEECA649FB18EF3B417F6E0053CC64C0567984198ABDF65DA0C10D70CBBC0E583BC2C20F2F570D1E6A47DC91D7D1E3F35CC1B1B8753E031BFB0D59E741
      Malicious:false
      Preview:.....PExif..MM.*...........................6...........................................................................(...........1...........2..........i............. ............'.......'.Adobe Photoshop CS6 (Windows).2020:04:09 10:41:52.............0221...................................6...............................n...........v.(.....................~...................H.......H..........Adobe_CM......Adobe.d.................................................................................................................................................I...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..D.I%)$.IJI$.R.I$............"..1.H4...c.]._N...[.+'...a.........s..LG.<d@.&

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\cancel_page_simple_en.jpg

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=12, height=310, bps=0, PhotometricIntepretation=RGB, orientation=upper-left, width=680], progressive, precision 8, 680x310, components 3
      Category:dropped
      Size (bytes):28274
      Entropy (8bit):6.974824782530709
      Encrypted:false
      SSDEEP:384:7YNg7giibYNg71vn6/liBYNg7xh3PXvMv8pkJdhZ4l:7Yy0iAYyJv1Yy/P/MUpUc
      MD5:EB5615660E55716CF933ED44222028CF
      SHA1:07DC30D1BECD565F0128415FBFC47507B2D9BCBE
      SHA-256:C09077E451BCED29D799B6D2B7A8982205E5087D4B1ADDFA7566C574BE7775DA
      SHA-512:63655245606E6886C63DC3AF393B589A40C723E10E03A63944EFB94EF0FD5473BD805A1427187AF539D50DC5E61BBB9E5C2991E10DE79DA305EB8D09A77686DA
      Malicious:false
      Preview:......Exif..MM.*...........................6...........................................................................(...........1...........2..........i............. ............'.......'.Adobe Photoshop CS6 (Windows).2020:04:09 10:48:02.............0221...................................6...............................n...........v.(.....................~...................H.......H.........XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\checkbox-black-off.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):594
      Entropy (8bit):7.284771036181718
      Encrypted:false
      SSDEEP:12:6v/7m/6TUaWI5c+4QIIuary0BjlMN7Eoz1hmj0ENcqRCsKH8TylGgWmGl:b/62Mc+4Muv2lMDz1QjvFR6+g2l
      MD5:43C99C5146E09CFA42C5BB0200521EDD
      SHA1:1373E1708988A60C135D10BB835D072D5C70B129
      SHA-256:5C872761FED19FE5DC7276B5AC89259744BC1864BA7AAB81B0C44A2427C9D367
      SHA-512:F35DA12FE3C3E6B2A33A7BDB8B4207C31C2A3CF6E9C8C37F4D76FCE84C8AB8DBFC3358E7B45E981E62D10647952462B7DDC5BD4FB3655EECC18A4448F75577F9
      Malicious:false
      Preview:.PNG........IHDR................a....pHYs................6iCCPPhotoshop ICC profile..x...J.P.@...P+.qpx.((..`.-E...!...Ji.^^.~..[..w...QpP...@q...!........r...u.a.a.k.n:..|9...S.....n....$....+..y.;...|.*.L..n.. *@.B....0.~.A...:i.@<..^./@)...()..A|.f..|0..3.}.0ut..jI:Rg.S-..eI....<.e:.dr?...&........b..n:r.jY{..3.......Xz,ZA8T..*......x..oazR..+....V...../..O..ZOb... cHRM..z%..............R....X..:....o.Z......IDATx....@......h....T^..C.h....$@..y;..$.c..;K)..X..#..Hn..N.rk.$....U]H...t.<..g.=.../.C.f.:Z...|X0..o....)..%... "..#.".JrS.C..@r.2s%.U=u...............IEND.B`.

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\checkbox-black-on.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):691
      Entropy (8bit):7.400499400699301
      Encrypted:false
      SSDEEP:12:6v/7m/6TUaWI5c+4QIIuary0BjlMN7Eoz1hmj0GsHh10AOKAAvDs9Ltj:b/62Mc+4Muv2lMDz1QjDsHh3MsI9LR
      MD5:5E5359F444A2F7F727BF055729F1DA5F
      SHA1:B7863BE1EA595A7FFCDDB14442E46CD30D866327
      SHA-256:57FE447542AE8B49444A09A7A07B7EA24C83EAECA5AAF087F4EC50CB289135BB
      SHA-512:D866A98EF177DB8040AC10B9F96D0F37A7D11F57EDB46CEFD2EF883950CAFCDE64704D706A661D266023D95DB68690AC0F4BBB28919A2365666E86093EF854DB
      Malicious:false
      Preview:.PNG........IHDR................a....pHYs................6iCCPPhotoshop ICC profile..x...J.P.@...P+.qpx.((..`.-E...!...Ji.^^.~..[..w...QpP...@q...!........r...u.a.a.k.n:..|9...S.....n....$....+..y.;...|.*.L..n.. *@.B....0.~.A...:i.@<..^./@)...()..A|.f..|0..3.}.0ut..jI:Rg.S-..eI....<.e:.dr?...&........b..n:r.jY{..3.......Xz,ZA8T..*......x..oazR..+....V...../..O..ZOb... cHRM..z%..............R....X..:....o.Z......IDATx..Aj.0.E.HQ.....x_r.".1.v.u...j|#......d!.QWm.....3.'..P.....B....FA...3w).....j.SJ...!h.\3.#`.=x....'k.A..u...QJ!.E)..0...3..R.......7...b.."..b....=.G.|*n7..!.O.K..^...6._...SI..}.sI....\q......|..R.!......R.A0s.;.I...sGf....5....N.mU....IEND.B`.

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\checkbox-blue-off.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3049
      Entropy (8bit):7.874580692912668
      Encrypted:false
      SSDEEP:48:b/6qbllck+itY5vm7I6Wzv9UAOb57C1cSMIg6lc3d+0UWHdVG/jJtFo3/d7zaY+d:bSMllcHitlIxv9vk7C1+I4wWHLihk/xU
      MD5:CDC0E7EFCEAE3705956CF9806376C450
      SHA1:7D23E81BF8E9C5E34EE65A8CB66B46143B4E9D7B
      SHA-256:B82E0BC74FD601BFA5C2BBADEEA7BE20720E9B614622A7A92E45D642B0343426
      SHA-512:B9BE2EF3149F2427D274DF995AD1B3A32C44A3BC02FB343B0BF5DC82DA3A69A2D22FF273053B7902CAFDADCEE2F2365FFEB27355443EEE9A6313E77BF9046C3A
      Malicious:false
      Preview:.PNG........IHDR................a....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\checkbox-blue-on.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):389
      Entropy (8bit):7.28884558678762
      Encrypted:false
      SSDEEP:12:6v/78AVlQdqR6iYW53JO8I7usvN3QlpmP/k7eFlnQt:clfR6iP5PI7RQHeeefq
      MD5:64FCB4193C444F034D1312873BB62943
      SHA1:05D0EDC924CB1CE30239EDAB01855A70991E3357
      SHA-256:42FE4EE2D1A6F3C7A08E2D54C4EA1B206395FD647F954A1076AB389900C6D82A
      SHA-512:054D50EC7806A5B4DD71287C03F5FE92F70A2027C0D77680CBD53C4D75A8611798F096D0A5AC9D2DFD556226E489A9CCEED80D006FC7681508DFEAC5D8473D6D
      Malicious:false
      Preview:.PNG........IHDR................a....gAMA......a....<IDAT8....J.@....\.."xh.V....F..G...!,l.^@E.N....l.b..FT6$q~br9.b"N........<..R'Z.n...40..I...iz.".8N.u.%...@.E. .za.....cD.oF..f.M3..#CV.7..M..^....Q....].........H.@._.....v..v....8..-KF.O.F....,..r...[........p8....`.E.m......?......bS.!{...3.*3.iE..r".....d.;...g%w..*oV...!o{..&CVs.d0...~o0..Y..q............IEND.B`.

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\checkbox-dimgray-on.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):633
      Entropy (8bit):7.337431096542785
      Encrypted:false
      SSDEEP:12:6v/7m/6TUaWI5c+4QIIuary0BjlMN7Eoz1hmj0Q6ZtUmR+P/WpVfPbz5v3UN:b/62Mc+4Muv2lMDz1QjgZbYXuVfPBkN
      MD5:BE84C0A7BB79D587B8AE44365EB05B24
      SHA1:487B2B7CD265889C5AA35EED7A721A4C0EE7075B
      SHA-256:04ACFCBA51D2831B64E05C96CC21DD19A2E9E0E12A38DE1F46BD2D38E303B68F
      SHA-512:879B5EF67F1FF3EE2B72CEF73A0C8A6A41D16B32A210F4C9EADEF18C5783A20E9E9BF1010259F631B3565C7DF19F65DD16219EA09825F9B3689DC88B780F771C
      Malicious:false
      Preview:.PNG........IHDR................a....pHYs................6iCCPPhotoshop ICC profile..x...J.P.@...P+.qpx.((..`.-E...!...Ji.^^.~..[..w...QpP...@q...!........r...u.a.a.k.n:..|9...S.....n....$....+..y.;...|.*.L..n.. *@.B....0.~.A...:i.@<..^./@)...()..A|.f..|0..3.}.0ut..jI:Rg.S-..eI....<.e:.dr?...&........b..n:r.jY{..3.......Xz,ZA8T..*......x..oazR..+....V...../..O..ZOb... cHRM..z%..............R....X..:....o.Z......IDATx..A.. .E....!....f..B..0.9......Ji.q.6.....1.u]..7\.)..c.R.8.M..0.3p.h......d`..k.i.k..eI9.._..F..g.D.QT.3.(.k..U8..8.'.i..p.........%.D..u...g$.tj... 1.~.l..<......u...!...b?ND..;....IEND.B`.

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\checkbox-gray-on.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):744
      Entropy (8bit):7.463214809782998
      Encrypted:false
      SSDEEP:12:6v/7m/6TUaWI5c+4QIIuary0BjlMN7Eoz1hmj02XFbz9+fd55WllImems5YOjLhA:b/62Mc+4Muv2lMDz1Qj5Rp+l55WllxP9
      MD5:06B1D4FB3003F0C449C74A1EF9156F37
      SHA1:D8D85F93330E52405A5C8F974496826B99A9DD8E
      SHA-256:9877B0C11463FF0F9B1DED7A49A6857237B7B5B8160C9178549D01CAD355159C
      SHA-512:1578A62B73B03AB6A7557F6195AD00C8A351FE7B8CD5B945057B995B89B698AD18881A8AC7E72B0E0FEBF1A417911BC765CA398C61BB1A0DCD067EAF769C0844
      Malicious:false
      Preview:.PNG........IHDR................a....pHYs................6iCCPPhotoshop ICC profile..x...J.P.@...P+.qpx.((..`.-E...!...Ji.^^.~..[..w...QpP...@q...!........r...u.a.a.k.n:..|9...S.....n....$....+..y.;...|.*.L..n.. *@.B....0.~.A...:i.@<..^./@)...()..A|.f..|0..3.}.0ut..jI:Rg.S-..eI....<.e:.dr?...&........b..n:r.jY{..3.......Xz,ZA8T..*......x..oazR..+....V...../..O..ZOb... cHRM..z%..............R....X..:....o.Z.....,IDATx..Mn.0...8...$.d.`.Jn...e8C..K.>.B...*....ED.sW...J.............x...W.)(..Mk.*.z.E...zP".....BDR..l..b.m..{.G....N...3....<...F.H7@UU.E.`0...w..|:...M.l6h.Y,.......s...V....!Q...nq.eYk..9w.AUU.\.%a.r.\....c~... .s....i...a6..$.eR.....1dYF..L.S&..m.....c..e........{'.u..~.Edu<._..'......l...l.gt....IEND.B`.

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\checkbox-off.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):218
      Entropy (8bit):6.433223624675344
      Encrypted:false
      SSDEEP:6:6v/lhP6IcRnDspZBHIA52b7Gu/BpKudIrIrwp:6v/7iIrxHIPHx/B3cIW
      MD5:B3BE2D1089A6F1478586814141E261A3
      SHA1:D597501F5977BD2E85FC9906330BC360507EB9B7
      SHA-256:1A50031D59D953B1A69DCC8A4D4FB9FAE244E4ECFBE4DF432026917AEDACF7FF
      SHA-512:9A9EB1E06A952982A94EF510E1106E2EC7F97AEEB598845ACECF9A824542BF4A7FB7987A1F445C0B0F868EBDF09E45E7ED6D374A80CDA045CFF7F7AA184BFF03
      Malicious:false
      Preview:.PNG........IHDR..............H-.....tEXtSoftware.Adobe ImageReadyq.e<...|IDATx......0...4t.N..e..!\.}..=....C..s....A).(.&.0..&.H.C....e.u.R.5*.D...!.}L.F....!....:.a...k(.y....0V..R...)m........a..x7*....IEND.B`.

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\checkbox-on.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):359
      Entropy (8bit):7.096434333250565
      Encrypted:false
      SSDEEP:6:6v/lhP6IcRnDsxHhD0uVnCCpRrjzgsNR0thfZgYURDCFr7AndTp:6v/7iIrphDXNlTrjMeR07fOYG67Anr
      MD5:928691DF2896A9ED30FEDDC14DE022E5
      SHA1:AB542DF8188A553EC3D578D06616A537C6DC8269
      SHA-256:94AFB0F3DA39A88539ACFD0F3B7206DFF8EF7600099D33BCCC850F28D9CC305E
      SHA-512:7548E3BC6042B91A4FC85FA090A3CB3790E1E6AD2350F0F05F14745A946C89657CCE3BA526E7FEB486F247C11F909EEC89CF60D2E6DE4E5335E62C4615867F70
      Malicious:false
      Preview:.PNG........IHDR..............H-.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..9n.0......H Q<....P.\.!..%r...!."...K.X.q.B..F...y~{F.....+.'..;...,.O..MUU)j.6,..Py ..Q.`.}...a8bb..%.u..4E....K.m[...8...R.4.R.......i.yl].#1.2..M..:....GQ..0.<.c.+.,2.".O. .`Y.....q,.y.1.#|..8......$KQ.x...u.....Wm.F.$..C..A.d.r.........M.}p...0..M..x.Rx....IEND.B`.

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\checkbox-white-off.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):2903
      Entropy (8bit):7.871277803737411
      Encrypted:false
      SSDEEP:48:2/6qbllck+itY5vm7I6Wzv9UAOb57C1cSMIg6lc3d+0UWHdVG/jJtFo3/d76RzN:2SMllcHitlIxv9vk7C1+I4wWHLihk/xu
      MD5:5147E38DAC6CD2240123AE354B2402AB
      SHA1:2BEA80FDAF1C3D0C12972B5A619BED26F1D14559
      SHA-256:26D47A2A44EF18E337208903FE5EE1EFBC5AFBCF17AD5D8E424C12BA983C0AC0
      SHA-512:6DC896E30E9F36BC9AA6A510899C07472CCBC21DC327CE5AFB3855504CCBC7EC252F2BC4BABD9FEB03B35AAC381FBBE5E95C90209325E8693BB3D2B4BC181040
      Malicious:false
      Preview:.PNG........IHDR..............H-.....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\checkbox-white-on.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3088
      Entropy (8bit):7.883520361970016
      Encrypted:false
      SSDEEP:96:2SMllcHitlIxv9vk7C1+I4wWHLihk/xHV4E:2SHIIHUCD4wab
      MD5:CBF2E00625713E9237825F88ABB8C72F
      SHA1:59F72604BD12C96503914D7DEFCF8C88C1DD51E1
      SHA-256:F5311F5EA0C2F3D2548B61AFA3E332EC3FCD9D5FFB0A4EA416770F74494591E9
      SHA-512:2E974FF888ED2A993970201FA557596AA28C629A85453CF381A9A19D7821196C99E2D9A9DF11451533A08902485605C9CD390A43B956FC4A55E28184EAD89CB5
      Malicious:false
      Preview:.PNG........IHDR..............H-.....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\close.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 13 x 13, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):1292
      Entropy (8bit):6.784655495237181
      Encrypted:false
      SSDEEP:24:P1hpunQWwjx82lY2T32HEVVteeyJ3VVeeLGnsftAtQjoniNyuP7kos6BX:ditNn2VcJ3tQuq20qP7kosmX
      MD5:3823A041D226998EC950DECB63D09CE8
      SHA1:62C583BF1C7BA8AED98967EEF9BA5CF216F1E8FA
      SHA-256:B65BC9E0353544B031F9BCF9E7AB0226719F5FF1BA399544B2D8395BBC2DEA25
      SHA-512:D3C364DFF2B381037BAA823724ED974488550D67888528E3F64156E549E0D9DF1980D803E627183CA30AC2A9E89A985045E27407FC0D29401CDB8FFDB521D69B
      Malicious:false
      Preview:.PNG........IHDR.............r..|....tEXtSoftware.Adobe ImageReadyq.e<... iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:816A243F562D11E19426B6DD7C5B8E39" xmpMM:DocumentID="xmp.did:816A2440562D11E19426B6DD7C5B8E39"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:816A243D562D11E19426B6DD7C5B8E39" stRef:documentID="xmp.did:816A243E562D11E19426B6DD7C5B8E39"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..[.....IDATx.\R.J.A.....K4.A...&..."Zha!".......Q4.b.....+.!..MDL..?!X(..#..K.c=...o....-'...i:5 .......o..A.!...._,.C

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\custom-back.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 650 x 77, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3119
      Entropy (8bit):7.71098264250602
      Encrypted:false
      SSDEEP:96:9SMllcHitlIxv9vk7C1+I4wWHLihk/xo+:9SHIIHUCD4waz
      MD5:2C5A525EE7031243C43E4AE14F0080B7
      SHA1:EF0797150CF27B077D1682A0D94B2EFF47AEA1CC
      SHA-256:D3B52744D8BD75162C3E9B2314ACB5E5786D43D6CE5B69D0740546E159B43418
      SHA-512:710EB6D554665D257B9795630CA17422AD262C2677753A96843EAFCC0882465455B53C7C9D08F0ADABB1FFF90A20C58BDCB35DA65805C50A13243D41D896C9C2
      Malicious:false
      Preview:.PNG........IHDR.......M.....!.E.....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\load-hover.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 50, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):4488
      Entropy (8bit):7.914850902129742
      Encrypted:false
      SSDEEP:96:kSMllcHitlIxv9vk7C1+I4wWHLihk/xKzIHwb/p0ndFg6uqhhP:kSHIIHUCD4wakzWwbud26uM1
      MD5:DB85E6D05EADA38D424A2E595643717A
      SHA1:E0B38E8BA59FEC11DE18EC5B1B66B59922620BCC
      SHA-256:B96740EEF24466EED8627BAA9A3912DA7F269012FF7513BE44A7DD0759272931
      SHA-512:EBAA8C7853039280075D19BDF076515C252C845FB28DF8CA5B9D364EAEBD4517D903884E8DA747BE1295ABF00BB79EBD554A3636045725BD57B86BB8C7B945C6
      Malicious:false
      Preview:.PNG........IHDR.......2......$......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\load.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 50, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):4430
      Entropy (8bit):7.921226672000871
      Encrypted:false
      SSDEEP:96:kSMllcHitlIxv9vk7C1+I4wWHLihk/xyP3ZtXjCtmvPmjll9:kSHIIHUCD4wawP3ZHmjll9
      MD5:C05092DBCFAFDF377483704AC25DBACF
      SHA1:5F3462EFF57AAABECB7CE437FD1D92DA55EDE35A
      SHA-256:74992BEE2C2BAB1A6934568058E50CA831D8BB1E09B3D0D472F3081658B18FDC
      SHA-512:B8252965DFC54E806926B684B6BF20D1167A15F95B9791AE52C66F70ED66AD4B6FD737A0850D5A17F7E0ED1CC0811B91DE5A5F07F2C99772E2FEECB3B4FB9A86
      Malicious:false
      Preview:.PNG........IHDR.......2......$......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\logo-avast.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 127 x 40, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):5828
      Entropy (8bit):7.9454818689856745
      Encrypted:false
      SSDEEP:96:sSDZ/I09Da01l+gmkyTt6Hk8nTfTAVWUkk6sqnlfXa3dUlA6iYf/5JhRa4gI:sSDS0tKg9E05TcViL9nl/aGNiYfrnarI
      MD5:93BA1364E1DD335134AA6212993FD881
      SHA1:54510274AC6CC12B75D306808E19BB11B1A950EC
      SHA-256:50EB2C20CE90ECBFE0C19269369AF0865F57891864FA0E7365C6B9A4CD3D631A
      SHA-512:A4EBB16EDABEBA230EE454A6794D420999DD81C6D077D9851BDB1A4D485E4003190AD6DE4BD51FA2A431D0712E266754B298EB649D4FD1FAB967EA80546F6902
      Malicious:false
      Preview:.PNG........IHDR.......(......6%\....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+...*..x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D..*.A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\mediaget-logo.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 136 x 135, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):14680
      Entropy (8bit):7.975231268423949
      Encrypted:false
      SSDEEP:192:TSHIIHUCD4waY5iW8C6HYTSH4DduFk09rhQ+zXckMC2a03SIDwwdv9YPjBKCvJNQ:G50wL5VzSH4keQ5zNjQNwwdvUVZWKT2
      MD5:A27C51E0821FF975C33C70578BBE1D97
      SHA1:E067C98EC18DA0264209247A898958334778DDFC
      SHA-256:29EBD96D14DEE8E335A674BF093AF7ABFD1CBD931B3277516FBCD037366D1344
      SHA-512:4ECFD3CE91179FD6E59C8FA97322EF36A46C773FD608577343D96C97492D39F6DA42E7926C67883A3C48782A5293D1FA71D043380ACC0D8A41538241F1ED0395
      Malicious:false
      Preview:.PNG........IHDR.....................pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\next-bold-hovered.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 50, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):4465
      Entropy (8bit):7.914346867116267
      Encrypted:false
      SSDEEP:96:kSMllcHitlIxv9vk7C1+I4wWHLihk/xpoBiGNsh5G7LInqibmf:kSHIIHUCD4wa/o1sjeiyf
      MD5:83C81DF0929732411F558EA71579A551
      SHA1:B8BA43E776347D7BA3255EE6B28BF234D337CC5E
      SHA-256:AA34EDFD745D5AD8781AF3E6018AA1EFB8E854E688CCCD36076713AD94D2E559
      SHA-512:621C5977ECE20B5D386C86AB03C829D7869D5F353CE77B13FC582E87DF056B10D8DEF9AFA9A2ED3F107F76BD301FF8D65071412227F9E2C4365D604DA3AF6244
      Malicious:false
      Preview:.PNG........IHDR.......2......$......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\next-bold.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 50, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):4470
      Entropy (8bit):7.917289430396852
      Encrypted:false
      SSDEEP:96:kSMllcHitlIxv9vk7C1+I4wWHLihk/xMIzq7ZXkv9pRJdAr/:kSHIIHUCD4wai/2zdAD
      MD5:2FD9F1B799FD5787126754D2C1F6C651
      SHA1:41B61FE270C1D1B121619078D486497EB79D65F2
      SHA-256:60434DCA05436A016A7E3F4CE86B51B8A4EFC50FF5FC9E8AC16DD58BE6D26C82
      SHA-512:3A4788A01A2246AB5D525B67BA9E31FD40DDD67621EED62B10464ED34070B8D946AF8A309A6FB417AFB4C6CB56729F5A8017DA26C8D5292396B48E3E06F9528C
      Malicious:false
      Preview:.PNG........IHDR.......2......$......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\next-en.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):4396
      Entropy (8bit):7.913214767932911
      Encrypted:false
      SSDEEP:96:ySMllcHitlIxv9vk7C1+I4wWHLihk/xi+R9brt6/yyKfAi2X6NQszf:ySHIIHUCD4wab/EQAXX6Np
      MD5:2A76910CEF3A8DF7DD051770C033B259
      SHA1:F63E428920555D84ECD5113F71D772C5EF2D21F2
      SHA-256:9BD6DED5C8E41450A27716CB7A103AA8151D3688282F7F5FF4CBAA0F1FEBB6E4
      SHA-512:E7258CDF8B1ABAEF0B96F740120F3BF5916D50D657195DD160BC8868BEF1281F2568FA3E5674046DFFE3FD0C97203031EAE74893BACE796BEDB48DB10D823E09
      Malicious:false
      Preview:.PNG........IHDR.......(.......G]....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\next-green-180.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 177 x 40, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):5231
      Entropy (8bit):7.951714136048024
      Encrypted:false
      SSDEEP:96:iSw+d36HJjEEoovnaNErgGT/sd7s2K0O8l3vEWebnuMhsvOsUn:iSwQ3yLooSEr5T/Os2KJ8lfmnukn
      MD5:049139E93363F3E947107146349AF929
      SHA1:BC56DE6D4A7D0DCF05B4CD26D1F13F3545E96419
      SHA-256:4BFEE58FB3B28E7E57554E0AFE68E197A7CFB9E3EEFC2EE6FA76B1BFE214F8F7
      SHA-512:A2735C4B19AC9D891755D6BF14E46A0E97B148E99A7137F88DFC57ECB13FFDE922DFAA1CE335122AE76A684F01ABAF0CD6180CD1206601949815F2BA2189C330
      Malicious:false
      Preview:.PNG........IHDR.......(......@.N....pHYs................6iCCPPhotoshop ICC profile..x...J.P.@...P+.qpx.((..`.-E...!...Ji.^^.~..[..w...QpP...@q...!........r...u.a.a.k.n:..|9...S.....n....$....+..y.;...|.*.L..n.. *@.B....0.~.A...:i.@<..^./@)...()..A|.f..|0..3.}.0ut..jI:Rg.S-..eI....<.e:.dr?...&........b..n:r.jY{..3.......Xz,ZA8T..*......x..oazR..+....V...../..O..ZOb... cHRM..z%..............R....X..:....o.Z......IDATx..yx.U..[U]..;..e.`$...2.8#:,*: 8.*:.. ......*.(........*..!l..%.!a....{-...".2.....y........s.)q.rWC....).#0.....}K.D..< ..W..Y.:.h.....D....=.....NGTW&......8.+WQ...B.UTQ...*.qTQ.....!..........B.E..bA...[....b...$..S...:H.k.K.F.Z......B..BF....=Q.. ...NI.C-WM...H..wq...B\.kn.f&ew..vc.l.[....b!.a=...[...A.^%.V.'.?..i...8.4.....S.EB...../.......Dz......w..g.s.t.E.|b,..Kh...9Y~.....*......<|~l1U..............?...3..M...e....)..a... U....!S./.{..<....3w.g...8-..(.Q]....w.M..t.....d.0u&g.`..bS.Jv...J.41.).{..}y....-..,..M .....B..O..

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\next-green-220.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 221 x 50, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):6532
      Entropy (8bit):7.94790780534549
      Encrypted:false
      SSDEEP:192:5SwQZjV8j7DawZVkQmNbFs6qUbDGWmzNVg:gwojAGQmNbLqcDGRg
      MD5:ADAAC85E4884F643E061C06F26D3DD78
      SHA1:3D437BAE1C1F93579DEA115F2C38F1D5334BFBE4
      SHA-256:F78541A8B1218AAFCB3BE55F0188B1F880799E49E9FBE8642403DA95902DE1FA
      SHA-512:01E2316C49304AA921F6647F014070C66CE9CF3F7474E6ED3DBD319A1115532B06AE86F2E0AD9F13FA0A097E7D30F91D14CBB5C97CB2EA10487865B6CF2BA9DB
      Malicious:false
      Preview:.PNG........IHDR.......2........M....pHYs................6iCCPPhotoshop ICC profile..x...J.P.@...P+.qpx.((..`.-E...!...Ji.^^.~..[..w...QpP...@q...!........r...u.a.a.k.n:..|9...S.....n....$....+..y.;...|.*.L..n.. *@.B....0.~.A...:i.@<..^./@)...()..A|.f..|0..3.}.0ut..jI:Rg.S-..eI....<.e:.dr?...&........b..n:r.jY{..3.......Xz,ZA8T..*......x..oazR..+....V...../..O..ZOb... cHRM..z%..............R....X..:....o.Z......IDATx..yx.U...S..[..IHB..` ........#....WT.7.AQ.Q.w.Aq...3.( nQv$..D.IHX"..z_..~..i...g.....y.<<].U...w;.1i....t.|.i...3d../..t........U...T...2t<.....V....l<.C.~y.pH\....\..0d..c@g...!C.t...2.3d..!C.t...........[.1B Z.at.!....bZ.U."...0!.@ %0...8...Hf$!.]h...H .....R.N..]8)..........!$.B.8...9[.V..".......8!.....0..G0..m..p.........4*.[1.V........N.R.h...ys...V.r.....gYRv.&.$$..RC..8..a,.0d@.C....\.,......&.mY....?...#.*bZ..)=.^....o.V..]...>.g.A..+....b.c...C.....~t]cf.;.i.V.XS.0+.=.......R..T.t..$.f;..'.O.o...#.k..Y.y..Z>:..h1d@

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\next-green.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 274 x 62, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3044
      Entropy (8bit):7.854177066533027
      Encrypted:false
      SSDEEP:48:5qNJ0vYCpaYpXIM31gsITuPPf4pStL4FIhLYAJfiZnB3O1yuu6I0Pi4Si3wuw7Pp:YHCpak/1ghTuPH3LDEAJfiZnxO1A6I0G
      MD5:BBA90EDFD2AE811524E38E12D7BB0B56
      SHA1:A8E8272081CCB8329A03AA2270D7A9C845CACFA6
      SHA-256:62AC3BE9569D8DF00FC7272533A26254121A3FB27832BE016BFDBE29FD98D6DF
      SHA-512:F4186B5233E6DB81BC71E3F4600602E225EDF743175E1273ADF242DE14B1B458E1447742CD73BF4E42F77DBE4DD03FE5672668A3CCA64302C9198EFCC6A197B2
      Malicious:false
      Preview:.PNG........IHDR.......>.............sBIT....|.d.....IDATx^.}lUg.....HI{yk...2;.[.....t..v....,.L...q.%+&K.`l..pb..f.....f..{.:V.P....C"....B......;.s....sn..=....y.<..=...y....=..:..FM...FS.3\ .. .H@.A].t.[^...Gkh-^M......@..B....K.h.-.U.2...\..t..j...F...i....@(.:QFkH..P....@..> .!.T....L.B..!......`....D&.!.......@H0.@.."...DF..@.. $.. ....@H"#D. ........... $...........UTUVG......)*/Yb.h.p....P...tb`....OC#..6..@......h..h..e.T4...?....s.........].Hw||.o...=1..6...H....@A..[../.c..Ax...B.iA ......=XD....g...4...g.E8&...]8..J...g...r.[.L....ps..@.$.h!aA..3KDX@v.j..zw..JY.X|6u.ALB.D&..%.h!i......k...B/|;..b......$VH8....w.!"a/'7)j.a.| ..B .B.[.l..q..D6.^..;D$4:d..O.....*......sL...&Vw...%.s.'t9...{......Ab.H..D.._.X#Ow..%.....4....Mq.g,.$NH..j..U.[...o..}.z....$.~...pV.gL.k~..$."}..$NHT..3..........n.,$..~.v...\9....h"M..$NH._....n6.m>|/..K[8.A....4.....%"q....$,...S..B.3.(..R....u..z........U9.s...1.]|....}.i....^~..........|.r......K..

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\next-hovered-en.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):5669
      Entropy (8bit):7.93840355691811
      Encrypted:false
      SSDEEP:96:ySMllcHitlIxv9vk7C1+I4wWHLihk/xpbgAKAST+G/gOe6eV8CC34ZnFIt1:ySHIIHUCD4wa5bST+G/gOwyIZny1
      MD5:EDF2B3D5D5A129642EA1767E3073D0F3
      SHA1:BAD309410B838BB77DC3C6A4B7609F924752CF25
      SHA-256:6BBE49B48FA1C85F46DC12499E97E83A7DD7AC80D17B9F68E623EE3C263A4106
      SHA-512:99C7360A6233B4917ABBDAFCA92431B14852ED11676489E2837D8BEE63A9ABC70F28D40D37A4E2E4BD8A922829399DAB05D74E46E11E8CF57BBC1CDEE17E2930
      Malicious:false
      Preview:.PNG........IHDR.......(.......G]....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\next-hovered-tr.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):5445
      Entropy (8bit):7.935161427280956
      Encrypted:false
      SSDEEP:96:ySMllcHitlIxv9vk7C1+I4wWHLihk/xp0WMnZeGhgIRbwUp3+Px09CRcoTxKm:ySHIIHUCD4wa1y1RbwUp3ix4oTf
      MD5:2C82A05B8CB6E945AA3229225D77BADB
      SHA1:8D74A2BB45AA403DA49E449D390AA6B6D8D7C58B
      SHA-256:5687EB042704EF34B3B47711B377AD972ED948229128D0DC0D663DFB71BA97CE
      SHA-512:79776830B0F020CCFE98870D216FFAB7F16D827C657107E156956B0A9BC9F61D9E2C769A1804899666857584D55D5D5CE9EF4B28AFD61F61B2C99BFBADF2BDF0
      Malicious:false
      Preview:.PNG........IHDR.......(.......G]....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\next-hovered.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):6160
      Entropy (8bit):7.9429678304530205
      Encrypted:false
      SSDEEP:192:ySHIIHUCD4waQUGNM/RN0LI8PYlG7EPOd:N50wiGNM8R7+Od
      MD5:CFA79036B0110FD42CA4188313C6C8DE
      SHA1:7229571E656A12A910002A47E4608DC38CF21B38
      SHA-256:107A6154B6A13FAAD96B31C9C92A9AA8889C76D00EFA1A0000C47DDBB2A183A2
      SHA-512:B1D7251F7C6FF00111A9D7E48EF830E8FC76C6DB6E2E0D6028841F15C5F771AEE48CC2C6D5CC2472EC3F27F2EEC4FCF7EC9A0FFDE86B66C0A7AC57315AEC45AD
      Malicious:false
      Preview:.PNG........IHDR.......(.......G]....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\next-tr.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):4198
      Entropy (8bit):7.909717078685963
      Encrypted:false
      SSDEEP:96:ySMllcHitlIxv9vk7C1+I4wWHLihk/xwcOBaS0bNDQJZQf2Ns/N:ySHIIHUCD4wa+cOUbqJZQeNsV
      MD5:5578CCC1B4540F9593646472C64D2628
      SHA1:962AF6E0BE8591849816537B8DCEAB66082B6DD3
      SHA-256:FA55BBB525A07683D76F34D500FBFB67E726625F7CFEB17E47D553C0CF050E49
      SHA-512:C9E77F17382B964D9ABEBCF1D689F9A6520FE927867615AF9E9BE6D8FD1C9076B23E5CD5ABB9BD0FD7BAA9C14ACBC59FCE7BE0CB7A3FAFF9BBF7852E99800E0F
      Malicious:false
      Preview:.PNG........IHDR.......(.......G]....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\next.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):4824
      Entropy (8bit):7.919163776212046
      Encrypted:false
      SSDEEP:96:ySMllcHitlIxv9vk7C1+I4wWHLihk/xg01tnhDi4xanqm/OZgfjUeDoIo:ySHIIHUCD4wa+UhDjN4OqUeDoIo
      MD5:8527D5D916E354F9516F0DD377766816
      SHA1:93AD1932FB57C6E23C398BDEF88E83B50B4729A2
      SHA-256:587FF583D37A7C1CA81A08662A0744F093EC4D448B7B27DE0BD602CA4AA20FB9
      SHA-512:B7BED18061EA281EA4E55346D5196F39389394B30886D1C989636DE73CA262079D05BD727898E32BDA6E2F74188D73318B7825E1F86FBB79D3FC721E86507A1C
      Malicious:false
      Preview:.PNG........IHDR.......(.......G]....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\no-en.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 150 x 50, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3529
      Entropy (8bit):7.894142137876445
      Encrypted:false
      SSDEEP:96:LSMllcHitlIxv9vk7C1+I4wWHLihk/xtXjN4pUz5SHZq:LSHIIHUCD4waLCpy4HZq
      MD5:9C3AC999E3ED8DC7763DC70882E0BEF5
      SHA1:7970875FFBFE3D8FC5D059807DE97D21BAA4F659
      SHA-256:527B4CC7A39641641F84617443A72BA527E3073C3D9A941933E0A5E571D6344B
      SHA-512:F77992B00C0CADA4A9B678E7860FABF270832880E659D72DFA1AE85F61523402B5AE789E637F908A63B862DE09E3DD91CB5D3152B06ECD2149401849A72C4D41
      Malicious:false
      Preview:.PNG........IHDR.......2.......".....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\no.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 150 x 50, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3462
      Entropy (8bit):7.893662990055222
      Encrypted:false
      SSDEEP:96:LSMllcHitlIxv9vk7C1+I4wWHLihk/xQw5LW5j1fXx3UCKx:LSHIIHUCD4wauw0533UCKx
      MD5:12B2DF3BA786FE7ED7D38300D49DC1CF
      SHA1:3FDA264EDF9C97E3A46ABF469D22ADF2814849A1
      SHA-256:C471750413D892E4C0D70F0F09C9FC02F57B61A1020CA97B8C5315BE646A3448
      SHA-512:0DBA89FECA61AC1C2AF4789D38088F6F421074D45283F1F75F25B443B75150190735FAF26EA73FC74E974E19517ABCA95F006300A3189D7B7ADEFD930AB429EA
      Malicious:false
      Preview:.PNG........IHDR.......2.......".....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\opera\opera-adblock.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 16 x 20, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):714
      Entropy (8bit):7.622587184814141
      Encrypted:false
      SSDEEP:12:6v/7+2CJ4DotZYoZWORrlWtMYBvM2G2BvntlsGmx0dAoLimt2eBPPZ2e4+Ob8l0f:dsDoTWOtcti+UGmdoLi5Y4jYlJ6
      MD5:2ABECF83F367E5F015E6C1DA85FB78DB
      SHA1:313EA4280E9362076A071F322BDA3E1049758EA6
      SHA-256:D62325083CFA49297ED75DF8928AD3010EF650F1FCCD899000DC336E75BC8601
      SHA-512:B12D0BF87D182B6B6BD76B76CD05C917EF64828C91E8377ACF5FEAD62DC638E845E1D64E7C45EEFD663714CE688F3419DFFB51818E7725F60E6AE658A812E77D
      Malicious:false
      Preview:.PNG........IHDR..............b.w....gAMA......a.....IDAT8..SKH.Q.>.._....&1.....6.3#...B.(..m..TC....mc..6..8c.A.-....)......9CGF........s..} ..l{4.Q.W...._)...`0....H...."....~2......-...^.. ...F..E...4G./......V...m5d{8y/....;*.}c#C...#.iM..&twa...?{.5..a(...Ux.....wq..\./d:?.9_.d9I<.8S..x...DC..4/.K..#.m.+.'..R#.F.%4..x...3.....k.)z.(..2.P,e.j3..I....`.O.Na8..<..+`%.}z.w..._...iQ9Vl .~..".f........?.*x...!~..,k@......c...........u...'..).gi..jwtt.v...S|.....%M._8..\....4#...S.@<yH.m$.JSMr."..n-..........{.rdre......H....#.3_?}. ......-.`...S_>O....*.c=...Dp...<.~i.$..]d.*..nn..>[y....0::>....K...0m..*[}..w9.xL8c.k.4../.|..}.NmU..B.#,...gN..o............k..;.....IEND.B`.

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\opera\opera-battery.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 22 x 14, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):553
      Entropy (8bit):7.552033242759757
      Encrypted:false
      SSDEEP:12:6v/7RiiB7SLEkBf709FPByF+iGxdhfIPi632zJNO:+AnBI9DyperwPi02K
      MD5:BE2B9BF2E907DF8AC60D230332865D56
      SHA1:0BE743F70EC686AE1ECC44A13EFF4134169B5D26
      SHA-256:471327883276CE89C0933272ADB33AFBD43D6C8F6CCA7AA7BE6542EB91F9F2CB
      SHA-512:59F16519D7BE4C63B24BD8AE40633B49B4798D96BE6457B3F9C6204DFD23962BDE47EFFB910A673E9F8D073BE301F8EEC3D324484E568845770E49B4B910A8E7
      Malicious:false
      Preview:.PNG........IHDR.............+1......gAMA......a.....IDAT8..TAKTQ...yw..$..!..Q".S.F......I...Kw.m.:h.*j..jQR..!..p...P..6.hQ...x........w..}..s.;tnl..X8.D.A...aB.Eb.....n......,.m7.8....a...,(.V.3.........Q..W.3.|.c......V.'.F.TG.Bi..+..8>.b. `...7".;L.[..|=...."...<*.J............J.v&....7..t.3. .......'j..^....z.P0....,...M.-...U.CRS.6..&...[]].HW._:....W>...W!......[.kHKA.uX7..x.....6/...D=..lvs`.....|..l5V.B.|...6...v...Ib....q...h5^~.[...g....d.E..'.?.9]....4I.#Y.K3.'....gg.....Df.t.....Y...!.{7......p .....IEND.B`.

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\opera\opera-check.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):389
      Entropy (8bit):7.28884558678762
      Encrypted:false
      SSDEEP:12:6v/78AVlQdqR6iYW53JO8I7usvN3QlpmP/k7eFlnQt:clfR6iP5PI7RQHeeefq
      MD5:64FCB4193C444F034D1312873BB62943
      SHA1:05D0EDC924CB1CE30239EDAB01855A70991E3357
      SHA-256:42FE4EE2D1A6F3C7A08E2D54C4EA1B206395FD647F954A1076AB389900C6D82A
      SHA-512:054D50EC7806A5B4DD71287C03F5FE92F70A2027C0D77680CBD53C4D75A8611798F096D0A5AC9D2DFD556226E489A9CCEED80D006FC7681508DFEAC5D8473D6D
      Malicious:false
      Preview:.PNG........IHDR................a....gAMA......a....<IDAT8....J.@....\.."xh.V....F..G...!,l.^@E.N....l.b..FT6$q~br9.b"N........<..R'Z.n...40..I...iz.".8N.u.%...@.E. .za.....cD.oF..f.M3..#CV.7..M..^....Q....].........H.@._.....v..v....8..-KF.O.F....,..r...[........p8....`.E.m......?......bS.!{...3.*3.iE..r".....d.;...g%w..*oV...!o{..&CVs.d0...~o0..Y..q............IEND.B`.

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\opera\opera-logo.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 75 x 28, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):2314
      Entropy (8bit):7.894434331014045
      Encrypted:false
      SSDEEP:48:TdZ8EIIsjeRr6qn8kmNVGJmsQojREYcQP6bHoahUAo/:RZLLbP1863bP6bHU/
      MD5:A7474995DD01516CEA41C16F7594AADD
      SHA1:0F16FE1DD1D5B4BBEF066D66C7C34EB741F20600
      SHA-256:6A143A7E5DEAF0F15616B89B3F22C96D053C7ECC89E178FB2C991FBB9EEA5284
      SHA-512:780B480EB0EDE1A1D30355CB5AB28A55E9CA7BB9A479A99C40685ACF03C4AB33224B8D77C0B03563368679F10C781FBE503855B9C5A49E0A74E24A1AD1A90218
      Malicious:false
      Preview:.PNG........IHDR...K.........).B.....gAMA......a.....IDATh...l]e....s.._k..c.]..pN.2eS...Q'....i1:3.....t....$iH....qh....A.'C.s...6......].m{.=...?..NO.n...O..9.{......<.=.J.4]1...j>...>'..a4c{J..5.~.5.&.....uuuL2%.E..[$J......U.v]./.y.....g../.5.d=6.X..f9&. D.....@0.....2ii.KIG.Wr.,.L).l.fF.'..M.._....'..:......3..f.D...P...!..n9.z'}..r\..6.f..H..Vl.mZ..T.%"9tO..".'TEm.j.^z..x.....S..;..s.<.. .g)..`.h(.......R;.....gh....*Ve..Q.......\....a..".EEK!.N...r`F]F.m....|....A.te.2...]d..R.u.f....!....Db..T..K.....Z+...w.}.u...."..Q....(....H..WY......W.).HG..P<..d..v.B............b..G..5...^n...e.. ..{...8..WTP....c.D.8......}c.RF..6r3...P..........m.z.....A,.._.P...&.x...,.........s3.b~.u...Z....Z.S..L.....W.f&...D..f.;.?.kl....u7`t-./.g...=5.1T........!.....D...N...Y....Q.b}....w"4f......?....n...B..xe...+@.8...#.tt..-..p`.3}PR.j..............-.u.M.....]0o..3Z..r..<.^w.h.Dm.Y[...B.3 ..\3..X.y...*..8.k......N...A.8....W.".?......1.+..t.O

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\opera\opera-mockup.jpg

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 359x153, components 3
      Category:dropped
      Size (bytes):10092
      Entropy (8bit):7.957422064858935
      Encrypted:false
      SSDEEP:192:VnxWgEzHPM6ILExqfXS4ZlwguAx8HLGSycW0/4CWekz:hNEzHPM6OEGi4fFuwkMt0/4l
      MD5:5FC2F45724B2CD7A6DAEC6F84FAE01CD
      SHA1:A1E03FA31A903204EC512242EA8EB7CA35D46DCC
      SHA-256:898C1B5F3ED1F8236D86E46EE617F9FF9FEAF6192EDEDEEEA3FFD9D99F7AB14A
      SHA-512:C438F51FF82E6E62A8D7E21BA7F0C02A451D1F2A59300B04F3A628F2103F69058C188C1EEE224A5E49A376BDF4603F504F5EA12CC69D744E9EE2638E2379D037
      Malicious:false
      Preview:......JFIF.............C.....................................%...#... , #&')*)..-0-(0%()(...C...........(...((((((((((((((((((((((((((((((((((((((((((((((((((........g..".........................................V..........................!1..AQa........"SUq...257Vrt.....#3..6BCRbu...4EFds..$%&..................................8..........................!1QR.....Aq..$4a..3.."25B.#b............?...8..9v..eE;".pa...v....|.Q.e......H.CfD.x......._P..S(TrN2....l.S..cgm...........vZJ:...=.<.p...._.Y:,C.....d.L......Z[6]U..={.Q_].*6..pc.....:x....lm.......'ve..F)M...A.K.....^...m.nD.Wa.....845..D.....SM..kw..S...Dm....N.(\.;ics.p.O....3...I=...t~ROgB.q..q.q......8..aw:?)'.....I..Y.5...O..._..K.....\v5g.9a..Zr.Vi!{....ji#a..N.MO'..;....!..OgJ;.S...E..B..MO'......t..fG.Hw&.......{:Qp.#.;.S...Grjy=.(.Y..R....t..5<..\,..)....{:Q..OgJ..dz..rjy=.(.MO'....2=.C.5<..w&........!..OgJ;.S...E..B..MO'......t..fG.Hw&.......{:Qp.#.;.S...Grjy=.(.Y..R....t..5<..\,..)....{:

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\opera\opera-mockup2.jpg

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=12, height=153, bps=0, PhotometricIntepretation=RGB, orientation=upper-left, width=359], baseline, precision 8, 359x126, components 3
      Category:dropped
      Size (bytes):26505
      Entropy (8bit):7.334100061822296
      Encrypted:false
      SSDEEP:768:eg2lii4g2l8zz6HREVZZTGBll63IpEBmd:3+b+8zaENAnEZS
      MD5:B33B26C90E5F2C33DB95AC71761F4536
      SHA1:C22A4E90293707F50CFC7EC1F0D6A9BC09E9D304
      SHA-256:A177EF1913D8B9B1FA5993F52EB9ED25C7730E1DCD2029A4E4C6D81D1E8C6ED5
      SHA-512:6C635ABA000FA6E99B6C26438D6E0F7FE7B53DEAEE427209AABB52EEA647FADB744E262FB9E5CD8C2ACD2DF1509AA0A7135B39C1406CDE6BE2BCD84BFAE36007
      Malicious:false
      Preview:......Exif..MM.*...............g.......................................................................................(...........1...........2..........i............. ............'.......'.Adobe Photoshop CS6 (Windows).2020:02:19 21:05:00.............0221.......................g...........~...............................n...........v.(.....................~...................H.......H..........Adobe_CM......Adobe.d.................................................................................................................................................8...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..Y....]..<zC..-.X.:..k]...9.?..../d..K.............[i......s.......\.,{rZ[.V..

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\opera\opera-vpn.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 20 x 14, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):564
      Entropy (8bit):7.574447564559627
      Encrypted:false
      SSDEEP:12:6v/7MOXJLqhd1yEEHRS1YqmDRz3KBY60riIeba12oacTsg65KvH/Pxz:RCLGytHRSWqmVuBY6Qijb0HTsX5oz
      MD5:643A1150E8ECA4BF46A2FFB95CCA3E73
      SHA1:EFDDDC024D4918D6F4F78AE20256E260ED59D9A8
      SHA-256:854B0CD099E88C8309FDA0ED6513F46C19C338627040EEDFB9207DC16E465E4D
      SHA-512:C20DF468D597A2F42AE1C5800C89BDB132636FD192BF5E79A7959489D292ADBB600AA1EB7C9CFA002158B8F9012A4DB56410F5791AD17AF0BA534255C70A086F
      Malicious:false
      Preview:.PNG........IHDR............./.<.....gAMA......a.....IDAT8....k.`..g.....A...E......+.Y.."x*..W....(...G(..b.!n..[V.........d.%.7.d!.{.K. ./..}.H..Z.Z...HX..KX...U.n.;..+,..0pN.;. .!.{=Z_.Q...n.'p...d6ES...%eI.N...9.c.......$R..i...K.U.'N>DA.i..Rw... .j...a....A...!.r..@y.....C4.5..".F..j4.g..V....?,..b.K..>..=.V...r..U...MF.&.im./......%.D..3&.a....C.E`...>..Ht..f.+.4k#.7U.,.G-.....!..*.0.f..oi.s9..]...[.d.z.....2+..F.'ol.s}.{.@A.....1:LoI...........|^I...\..._.D..z...)../.>......._.#.b...Pr....o.6..{:.#:..S{}J.....9..s...E.]C....IEND.B`.

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\wc-logo.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 229 x 40, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3691
      Entropy (8bit):7.932300965581058
      Encrypted:false
      SSDEEP:96:nbybWxaxuHNGfcqjE7gXU8MmX7q1567YyHiYSmF:n2WxAXfcqjE7gX3M87N1F
      MD5:48573907EFA5A673B918EE8246C8637D
      SHA1:69503736D1B5C89A67AFBA9BA8D39E7A3B32D2E7
      SHA-256:03ED11F9006A009BE654F615F959B54CA36CA1CA363E7B1DAE48944E3ABA78B9
      SHA-512:1A81AA2CD7C077EBEB8CACED7F119AFF4E75C6C0489A1E23F2E2C4EB287712795B1986EDC138B359C08BAA36171172DF1CD5EA56230D07119235A37DB17F5C9C
      Malicious:false
      Preview:.PNG........IHDR.......(.......=|....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..][..W.>c{...^2..&\.x.4)./.....E...Rl.......M......m..!!T..+@...A.T`......Q....(..&...^..e......g.3^..n..;s.s......Ut]'..N.E../..O.%.iZ...#...'?.x........(..w....&....z.g.W>..E".i.h.T.#.. .p..0.`.8.....D...@....n..c.'.f... Cp.B.v.}E..#...}.^....m.Z........C.....M..w.W.;A\...T.h.@...f.5.....q..!.YMX..@\.......g.!.....'Ou.%U..(....9........kBu.e.....7.....\.....8...,g....Q..`..l.K...2&QS..c.1.r.2.<....J.-...]%.........V=;r.X.F..+..d...E..@.c\:(..0>.P.I.$.L.yF... 7q.B..8.:.p...N..0).S......r...q.P0N....7..d.....$..X.l.j}.z...{..T7lO,...F. 03"Hp..A:..s...w..(!...H.@...z....6.c.....W.1...`MH..D.MH........q.n6A.l.....fP......)n`./4.2.,.....F.....'a....Lm.{9...H....2.DY.Da.0..z.P.F*e.S...^....' a..9v.}...#....f...^....?...;.....t.........'...l...eRR....8u..O.T...A...M.Y.6..n.V..6.=.-++g.>.?.o'..D......69E4..B..`.......a..7.5-.RQ=....#...q..]...\S..x!...q.lFp.0.L..-.dC.A...;..D`.

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\yandex-logo-ru-gray.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 104 x 55, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):5272
      Entropy (8bit):7.934411634487265
      Encrypted:false
      SSDEEP:96:GSMllcHitlIxv9vk7C1+I4wWHLihk/xHMLMWrPPliTMZ+B/C0pfvt:GSHIIHUCD4waFazr3lvZ+BqAvt
      MD5:B9AC24AC8D864F4AF72B8420F23D95D9
      SHA1:AA653E8D5AACB686B781A24E0E657821B4A8978C
      SHA-256:8705EA87FA5E3335BE4508C2C854EEEAC7294349949831D58CC1A0990C7B02D2
      SHA-512:C3E93B1FDEA30467BEF008BE6595BDC194FA637E52C105098C2ABFD6B6913BA5B1308A7C21381B47573C1DBDFE90AFCB9317E8B40D22B1D9AD548EAC47BBEB93
      Malicious:false
      Preview:.PNG........IHDR...h...7.............pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\yandex-logo-ru.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 104 x 55, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):5964
      Entropy (8bit):7.9443039940495535
      Encrypted:false
      SSDEEP:96:GSMllcHitlIxv9vk7C1+I4wWHLihk/xl+e5/j7CL/Wabp0/atMMns0gARckxzI6Q:GSHIIHUCD4waKeRjeLJ0/atMeD5Q
      MD5:FF2CE8112EA6F11AA1886A591D34592C
      SHA1:68B34F1842472A73A5E8C0696BCBCBC134071238
      SHA-256:6643EF0D6FF6DAAE4EAD2D2E00FFD3B4BA81C4A7D137FC0A644C66B4E87B3750
      SHA-512:B9747DAFEDAF1530380EE7328CD2B33B312F5BAF5A9118F2FCC84B9FEDB6B905E1193480E3CFE47D2305F383202103FE53E4C973C8899060BCF50FF39317A54C
      Malicious:false
      Preview:.PNG........IHDR...h...7.............pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\yandex-logo-tr.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 104 x 55, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3470
      Entropy (8bit):7.763652774272464
      Encrypted:false
      SSDEEP:48:UwqQNn2xrkJJ3OHXfqeKfaU5PvmIXphLLLQHcWC1skKMVkKD4A7xilk4p7PvNwIF:EY2VkeHXfGP5LUHrCH1kKsA8lLqLpwj/
      MD5:A7BB6F50D352036F0EA21360DD0EF52B
      SHA1:E939731191E8661BE9AEEC55E5A2F1AF0D3BEBE9
      SHA-256:A573F4957050777752602E86281A2880CF11E8C3CE8DB150A713DBA4EC88C8F4
      SHA-512:3D323D4496708D049216A4DDA6BEE3BCE784251C7451DEFDFBE2EEAC10807F15153FC18364DF9C64B8ACD8E45BD243BC98A31A36F46AB321CA82036A771802B2
      Malicious:false
      Preview:.PNG........IHDR...h...7.............tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:812A279B4AE611E4A8DDFA6A09D43ECF" xmpMM:DocumentID="xmp.did:812A279C4AE611E4A8DDFA6A09D43ECF"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:812A27994AE611E4A8DDFA6A09D43ECF" stRef:documentID="xmp.did:812A279A4AE611E4A8DDFA6A09D43ECF"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.W.0....IDATx..\.LTY...h..F.v....]./.......D%...h.NOzF....!c....Q...w..c..Ah....QA.w....~.o....6.'.$7.z.._..w.=..

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\yandex-right-gray.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 114 x 55, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):5411
      Entropy (8bit):7.9398177576350735
      Encrypted:false
      SSDEEP:96:mSMllcHitlIxv9vk7C1+I4wWHLihk/xLey8GIZKJv8A9M+SU82fHPlcAH2dtUb:mSHIIHUCD4wateyfIZK+A+nwB2dtUb
      MD5:AE28B7396F5DA30CDC2D88A1338AEBDE
      SHA1:310F097B4C88264A53A368417DB15A183EB6FAE7
      SHA-256:39748CF5551486A339987F337C4449D29FED342E4230F2ED7DC727913691850D
      SHA-512:26598A7D24FF75C49B9D9A759CACFBE6EEFA184FBC745172843CE19DCEABF1B452E36DF56DB7B8027CFC0420BABFAC2AB0B7AFF5E500DC992C37A46D5F9F476F
      Malicious:false
      Preview:.PNG........IHDR...r...7......H......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\yandex\yabrowser-plus-600.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 600 x 92, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):21861
      Entropy (8bit):7.968447899710426
      Encrypted:false
      SSDEEP:384:Gwm8PQnmUZ/lWRNrVQG2ODD6FW2gf9XMUlS8Xn9Y9jVttBfKqOYVz8nndjE:48onmUZwrVO6OW2gTny9BH/tVz8djE
      MD5:D4E46EDF2708B61BCB69014FC48C624D
      SHA1:4B7D4565A8CC09C4B37AA477C43D2BA99A9D7043
      SHA-256:5968C3CC283B8AB050511667261F0F9ACF11EB621BDE66ECE5361C02BE6B250C
      SHA-512:5FC0EC1FD12E60B8B86EF127013CAC6AA4DCCA52E9D2EAFCECDFDA85ED651025FAFB6145C8E2EE7840952CD8265E8FB440551C472A9D863EAFAE424E9D0B4150
      Malicious:false
      Preview:.PNG........IHDR...X...\......h......pHYs................6iCCPPhotoshop ICC profile..x...J.P.@...P+.qpx.((..`.-E...!...Ji.^^.~..[..w...QpP...@q...!........r...u.a.a.k.n:..|9...S.....n....$....+..y.;...|.*.L..n.. *@.B....0.~.A...:i.@<..^./@)...()..A|.f..|0..3.}.0ut..jI:Rg.S-..eI....<.e:.dr?...&........b..n:r.jY{..3.......Xz,ZA8T..*......x..oazR..+....V...../..O..ZOb... cHRM..z%..............R....X..:....o.Z....S.IDATx..]wx...=.%.4... .&(..Aj(JQ....RD.. ..).*...#...J.B."-.@ ....3.?...,.itx....6....=..{.}o$EQ D..!B..."...(.$Izj....N....!B...1.F..#./. ...3.6.6...T.&X........"..~.%.....)..d.$.`............n.).F.,.L....."D.,A...zR.Kr.H...aH8.!.:.....&.....%.. X.`9t r:..G...y.H...VL.. 0!D.,A...z...>3..l..o_.+V.2...L..!?.oEQn...p...7o..m.6.=#.St...".e"T.xP..2e..../...~ .rA.f..P..QQ....$I..e9x...7n...$0!D....`.'.0!+..'+.b.|....@...".&K8eM.>.$.....,..\....7.p.e....T.P.@.'............~.e..]...E./.e$Xz\.<<<.|.......b.%.............?..?. 00pOXX.>...."..s$X..66..e.....2

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\yandex\yabrowser-plus.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 665 x 102, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):14599
      Entropy (8bit):7.949164301930348
      Encrypted:false
      SSDEEP:384:eHhkf/1H1uZ/HNe272Y4dyvOOVlhku8Wp9gokeP:6h0tH14lexsFlt7PNP
      MD5:A77CBA13FA4F1047CB2EC6A8A30EC117
      SHA1:F7606291B4B028337B062CF6D36434C0A86FCE44
      SHA-256:35224E4F473E4C41808E63A0C0E26C5A59675F88764C77604FF13E9863DF7A7C
      SHA-512:05F3D446DD720011A4966BAE140CE4AFA4A2A505CEA8F32B89FC5397128A369BEFE638F489038378D36CC7BE3B23E0C3875FE0302B2393ADE73C3AF51B2D656D
      Malicious:false
      Preview:.PNG........IHDR.......f...........sBIT....|.d... .IDATx^.}..\U....)$M:....Dy.@BPB...x...H$F.."..*a.A..>Fe....A......$...+<.dP.C....sU.y._}V.z........^.....}.....Z{. ...E@.P...E@.P...<#..s}Z."..(..."..(..."@.$.h.Q...E.......^.\.P...E...B..u*..}jZN....D.3..E@.P.... .....3..{.aNta....mD.(q.T.J..i...E@.P.v .W..E&.3.;.K..(.^..VE....O..tY.L%H.P...E._..K2Mr)'..e..;...dr..5UUU.I$...X..HD....W....=.....&lv....%.T../..3..g....yE...8{..T..)Y...CMY.&J..Y".v.n.......N.-.....f......!.^..|V.m...........G.lv.-[.onn^.Y. .........T.*.).....@.......u'h"O...?..x..uh.%...^K./.ah.....$...z.xU.7n<j.!.E%.&^.d....!..eE....3k..."...!p...L.~.$h"&Qx,.PF..%Y.......E[...@....\...;...u{2.<%J.ae...T....E.{35t...~_........+.%..OF;w:....KI0.<.~.w;t.=.'.).!j7.......UY.hQ.1...`_..~....x../N.4.{Bd.]..e X......E.LoP.....kG9M.Iz4(4...wsIu.N...*{6..L.......,.u...8...8e.$.p..IS.L...h.G3..zO." uL..T...K.(a.@0........<.f.<.G.q.4}F.f..C.t-.d..;..2..By0M\.....d.KF1.....$.F..P=..|z.".

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\yandex\yabrowser-title.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 218 x 41, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3413
      Entropy (8bit):7.888159483737473
      Encrypted:false
      SSDEEP:48:AchYfIZQibBNuONn7Uj9iBYAV3UfYQPfIjDLUxrs4fByMhe/tAKidVTNH5OUDQh7:xt6ibB4O97UgN2AQ6XMdHOtH2n5OUDe
      MD5:6F8555C5607DD659DE56D22A359C828B
      SHA1:E5519753771E635C2F938450E84878F5523E002C
      SHA-256:7E51B47C7A96500F8022B9E029D32E3D5E84AE3A78960D194843CBD77C048B57
      SHA-512:9F59FDFCD932CE7F6BA757D69824A005915059A2E95012813CD6FB1F24173D7B1D9C2B9AC25F0980225F1D07D02276981CC252FD1396A5F88F53469787E7DAEE
      Malicious:false
      Preview:.PNG........IHDR.......).....S.7l....sBIT....|.d.....IDATx^.]......D.v.....c..$>A...>....>...D>A...>A...>..G..2~......7....a}.l...`!i...".'Y,V.K........G)..R.~.R........]...9:..g......&P.&.]..P.."..{..i..K]_.{.ZMB.~..mVq......W...}.....VI.2...aJi.$f...l...(..'M;.......wW......o....1}Y.vx%.....U..M6......2...~..N..m>..Ai...B;.GF.]..HC. .r.j..I.......5.6.........S*.;..h..{.'... .S.X..y...Cz./.h_^..~....*)....T....h.../..}^K._.r).... ....D..'....6.*..@...w...SJ...1..V.rI_..(..T.1'..:...o3..gM)Q..*.m.Y.sc...t....h..r...x.2.6........@..y55.<{~hD...../[.d..t.m.r..0....T......#.Ev...;....T@k*.4F4...eJ..~L.Lh....J].....l@&R.............o.iY+........8Z.}.......y..C......U..H>..-t.Hd.~:...v,..V..o...c.#.>n....=F.J......kj..!"Z....h9.Z....l5.q.(..}.......d.h18...4...l...h.....cd|.\D.e...Zd#.,....$r^.;.%.Zg..L.9N.y.....+..(...=..g..@y/.4,.......y1?...h.{.!..^.....OC.x(..4..F..D..1.C."4.&.F JKs.-..3.+......T.........h.K..x......?F.q...C..=.O........8..q..

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\yandex\yasovetnik-screenshot.jpg

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS6 (Windows), datetime=2020:02:22 14:32:10], baseline, precision 8, 327x127, components 3
      Category:dropped
      Size (bytes):27505
      Entropy (8bit):7.2519321520542865
      Encrypted:false
      SSDEEP:768:LRYy35Ri8LYy35js7Ie/3i4t5bLl7bqmy:1TLVs7ImZt1Ap
      MD5:D9A31A1AB0D82640C717B743C52E4ACC
      SHA1:2BEA9E0B3B880423CCD02581241027FD6D62FE2E
      SHA-256:F88EF77BA384C701CEA4FC329847DE073396098498F757D276286ACC8B493743
      SHA-512:C9804169E3F6DA1A3E1943E20493B5232EBAD1541E32294DD49E9D7DB4F42697B8C106E495C5D48B9C725F8F7F7737609453BCECAD30210131638FA8226F22A7
      Malicious:false
      Preview:.....eExif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS6 (Windows).2020:02:22 14:32:10..........................G.......................................................&.(................................./.......H.......H.........XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC http://www.iec.ch............IEC http://www.iec.ch....

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\yandex\yasovetnik-title.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 239 x 38, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3212
      Entropy (8bit):7.8941312435452495
      Encrypted:false
      SSDEEP:96:EHnWj+YcswgwrI8Of+1MEvO/+E7y2CVtw8/BjIzr6DCeq4Ze:on0PTwrIdm1rE+5VtJ8zr6DCMM
      MD5:C1C1E5B936BA7D20C26402CEFCFAF971
      SHA1:A99E5861D79DFCBAB209C88DAD7080CF332BA53D
      SHA-256:C9D16D45B706A08AF9D26861358FDBA4A4009F07334A765209B5A891744E90D8
      SHA-512:47EEEF22899AD5CA17C6488AD413E901FEECBD485EBDE3AB9297CEFEEEB5EAC7ADDFCEEEDAE2EF1996215971F83AC43BB6D732105CE09AF28AF3C2116960441B
      Malicious:false
      Preview:.PNG........IHDR.......&.....,.......sBIT....|.d....CIDATx^.].\....@.}.2T%.1f.IV......+HX.a.... a........Te.]P.O.7..J.Q.....p..x.C.._RK.C.|..b..^)....).<......._....8....R./..g.R.W.....R..N.<..80D#..x.O..?.e`....Cg......d7T|PJyz6..N.=.~.x..P..w.7...M.n.p...._.RP.....m........?>.v6..wUV.-.|.Z.....r.r.\............#.c.&...j4........8....e)....'...pf.~3x.n..X.g....X...{u[8..-x_,..f....3x.1.D..I|.q..-...D...^!....D..c..........W...e..iu....9...../._......*..o...c{....~...-}.9..q.y.k.......2(...B..-]m...&.{U.....k.X<.....jE.;..9..l.)>H.........=.'l *..X..3')0.....n..A;.E.........0..X...1.?D..^J.....{...5....o#.v...F.x.P.%r.|.wL^.2].%..r...}....1....0(\..z...:t..}.:....NFCm.2gk.x..I%A...C.}....A..@......n.(*........b .[...#Cz.U..j...g~.$..Z.....q8.?.1Nay........(...Dz%.....B..V.T>.[.r..C>....C..-.(.....a.z.&.K4<...0...L..._m..=..{......./h...g...AV."Y.Q.j.....*.wo...5...Pi3.....y......l.=.N..C>...@.[....xBC..J...+4.G......F...Z...z[

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\yes-en.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 150 x 50, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3901
      Entropy (8bit):7.898592464130967
      Encrypted:false
      SSDEEP:96:LSMllcHitlIxv9vk7C1+I4wWHLihk/xOQtowZVgEdLOlHnl:LSHIIHUCD4wa/ZrgEROll
      MD5:B150DDCA6CB149A640B5601382858813
      SHA1:EC95A5D1E716AD11B86048ED57232292C89A6A6B
      SHA-256:78BCFEB7F4F3920BB8F9BF320B1205CEDB9F355C7ABE75A3CFCFF60339E90DD5
      SHA-512:89B912865F0FE50E7C0F5964AE2DF6C0022FDBE6730929F68492C150ADBBD313E88A2BFA68FAAD5D77C1997947B28A4DBA85DF9F26D52B3AC6E2ADDD6C7CE12C
      Malicious:false
      Preview:.PNG........IHDR.......2.......".....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\yes.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 150 x 50, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3508
      Entropy (8bit):7.892242540470251
      Encrypted:false
      SSDEEP:96:LSMllcHitlIxv9vk7C1+I4wWHLihk/xi/IIwlQ:LSHIIHUCD4waM/IIwlQ
      MD5:CAC234B9C61E2C4F00FB75BA8C30CF36
      SHA1:1CBF460831146C29779DCC73EA23910F0305EF56
      SHA-256:A6B5762081AC064AFC7E84D5EAF1D97857DF9EF1D269CED7EE775D406925139B
      SHA-512:AD842C49255D87C6865A62E735043F08BBDC55979F6AE1544172FA133E75DD5754EDED950567797FF125589B8B58EF6356574C07E6F829A9CA7CF57B242E0BBC
      Malicious:false
      Preview:.PNG........IHDR.......2.......".....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\index.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):17584
      Entropy (8bit):5.334137494451316
      Encrypted:false
      SSDEEP:384:7q2LjfsgDG1Vv4EAxVLip75+L8+oiB48oqNwjOSbyi/iHi+iT4:7hvsgBjYv6CPT4
      MD5:53D0CF49D0DD47DBAC1599CAD52C643C
      SHA1:86F8EA054431EF361ACFCC71C57B6D8BC2294FA1
      SHA-256:E3F719E94936599E9B5B3C42FDD96B59BCED725094CAAA9499BD8F9A3A7F6BEF
      SHA-512:BDD484CFE4DDAE21E758CC82775FDAAA9F908070C71835EA1F1155051F9996127612C4E6FDA115466A9AAF06209257A7B988BFE170CFCEE79036F5F01F086C63
      Malicious:false
      Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">..<html>..<head>..<meta http-equiv="X-UA-Compatible" content="IE=edge" />..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<script id="w8xmainAuto-4-80-1327-0" src='./js/jquery.min.1.6.4.js' type='text/javascript' >..</script>....<script id="w8xmainAuto-4-80-1328-0" src='./js/jquery-ui.min.1.8.0.js' type='text/javascript' >..</script>..<style>....progressbarContainer { position:absolute;left:30px;top:295px;width:755px; }....ui-progressbar { margin-top:-5px;height:10px;text-align: left; }....ui-progressbar .ui-progressbar-value {margin: -1px; height:100%; }.......ui-widget { font-family: Verdana,Arial,sans-serif/*{ffDefault}*/; font-size: 1.1em/*{fsDefault}*/; }....ui-widget .ui-widget { font-size: 1em; }....ui-widget input, .ui-widget select, .ui-widget textarea, .ui-widget button { font-family: Verdana,Arial,sans-serif/*{ffDefault}*/; font-size: 1em; }....ui-wid

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\index.template

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):6526
      Entropy (8bit):5.424015834651287
      Encrypted:false
      SSDEEP:96:7qtLnljcEFAHHNVmccnokSY8AkwNMHW/ERo+7Gi/iVERo+7GieQbGiTZCbp:7qpFoHNkccn/SkGyi/iHi+iT4
      MD5:CC8EF30AAE72DAE57491775DE8D9BF68
      SHA1:9E91EF6F43E528D0D507B7B8F7F53F164D173A60
      SHA-256:C41C7ECE07F92A9EB8BC56849BCD8FCA2ED1A83FFA4BA9186F7AFC1A35C6E4E9
      SHA-512:2CCCA655E2784A84B637ACF083458BBE1FB4D885B50B45185E2A7657FDBB1901CCDF3376A52ED694D921B2426D549C5071151FE5FE0417F180BB15FE7DD8350A
      Malicious:false
      Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">..<html>..<head>..<meta http-equiv="X-UA-Compatible" content="IE=edge" />..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<script id="w8xmainAuto-4-80-1327-0" src='./js/jquery.min.1.6.4.js' type='text/javascript' >..</script>....<script id="w8xmainAuto-4-80-1328-0" src='./js/jquery-ui.min.1.8.0.js' type='text/javascript' >..</script>..<style>....progressbarContainer { position:absolute;left:30px;top:295px;width:755px; }....ui-progressbar { margin-top:-5px;height:10px;text-align: left; }....ui-progressbar .ui-progressbar-value {margin: -1px; height:100%; }.......ui-widget { font-family: Verdana,Arial,sans-serif/*{ffDefault}*/; font-size: 1.1em/*{fsDefault}*/; }....ui-widget .ui-widget { font-size: 1em; }....ui-widget input, .ui-widget select, .ui-widget textarea, .ui-widget button { font-family: Verdana,Arial,sans-serif/*{ffDefault}*/; font-size: 1em; }....ui-wid

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\install-min.template

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):424
      Entropy (8bit):5.231681242477565
      Encrypted:false
      SSDEEP:6:dWoHnAqlfbpSRGvzyq2wuscwRxMQmhVao2q2osbDHnAnoOCyq+KXuLrO8g6xfdT8:8Ubp/vzyWHm+oUHhOJ2X1+FT8
      MD5:95130D201B9E29A8D9E1A256DCFF2B1E
      SHA1:42CF9F0F6B502F7FD511DF71C8977FF6E24A98CB
      SHA-256:E2E327016B20676152CCAFBE32623D013BCEB3370D0566F14946070F343710B2
      SHA-512:C40764856DC326A4660BA4B46FDC9EB09F9ABC13F2880E40788C6250B90FDBAE74D076718247D62F4BDEA967FEE84D7E4A3717D501CAE556847336282099C507
      Malicious:false
      Preview:<div id="##PAGE_ID##" class='selPage' style="width:300px;height:240px">...<div style="position:absolute;left:80px;top:30px;"><img src="./img/mediaget-logo.png"></div>...<div class='progressbarContainer' style="position:absolute;left:30px;top:190px;width:240px;">....<div id="progressbar"></div>....<div style="color:grey;text-align: center;font-size: 12px;">##Downloaded## <span id="process">0</span>%</div>...</div>..</div>

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\js\jquery-ui.min.1.8.0.js

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:ASCII text, with very long lines (58946), with CRLF, CR, LF line terminators
      Category:dropped
      Size (bytes):207176
      Entropy (8bit):5.22161198174035
      Encrypted:false
      SSDEEP:3072:WpAlcXnwc+NAdbvTdaVhr4aoaj7/cEItIwCkGWCs3T:WqaB+NuchrbrsEItImGWfj
      MD5:A4FDD77E182BD2FABE300A47B5617A35
      SHA1:E002B335C75B5EDEFCD251962F61F53A2AB8E0F2
      SHA-256:8B59592D67EADC703AF6CDD5BA8D077F9F9485D01FB6405555614335F89BE99B
      SHA-512:DDCCCDE1C129F8F71FB39685ABC615C4202B8B3DFC12CEDD7D9CCA2F97B308FC14B64497826421FA9DF3D1CF54BDAE9C085051AF0A8D393CD3D556A6578D4085
      Malicious:false
      Preview:/*!.. * jQuery UI 1.8.. *.. * Copyright (c) 2010 AUTHORS.txt (http://jqueryui.com/about).. * Dual licensed under the MIT (MIT-LICENSE.txt).. * and GPL (GPL-LICENSE.txt) licenses... *.. * http://docs.jquery.com/UI.. */./*. * jQuery UI 1.8. *. * Copyright (c) 2010 AUTHORS.txt (http://jqueryui.com/about). * Dual licensed under the MIT (MIT-LICENSE.txt). * and GPL (GPL-LICENSE.txt) licenses.. *. * http://docs.jquery.com/UI. */.jQuery.ui||(function(a){a.ui={version:"1.8",plugin:{add:function(c,d,f){var e=a.ui[c].prototype;for(var b in f){e.plugins[b]=e.plugins[b]||[];e.plugins[b].push([d,f[b]])}},call:function(b,d,c){var f=b.plugins[d];if(!f||!b.element[0].parentNode){return}for(var e=0;e<f.length;e++){if(b.options[f[e][0]]){f[e][1].apply(b.element,c)}}}},contains:function(d,c){return document.compareDocumentPosition?d.compareDocumentPosition(c)&16:d!==c&&d.contains(c)},hasScroll:function(e,c){if(a(e).css("overflow")=="hidden"){return false}var b=(c&&c=="left")?"scrollLeft":"scrollTop",d=fa

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\js\jquery.min.1.6.4.js

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, ASCII text, with very long lines (32769), with CRLF line terminators
      Category:dropped
      Size (bytes):91671
      Entropy (8bit):5.368573359674578
      Encrypted:false
      SSDEEP:1536:wttlIQq8jYAJohe7evhKHIJvuUO7prb3qJz34yfbvTXYActjaO7UX5X8BKg1hJOw:IJjxpIpuVkRECra92Zp8++
      MD5:EA75B2A8F1B4241A872B1CBDDBAED154
      SHA1:18678DD78C1F5A3525127B442BC70375FAF09C16
      SHA-256:4A62927A380E201C4EE51321DCC1E6B1F7DFBF82049CF349DF990629E01E9178
      SHA-512:DC69CD4703DCBA3C8F4A52058C44A34FA7C0B6096BED20F30CE3DAB872461EB6DDA9D0D381137B9CB022219AD92CA7F5F25D3964ED33D5F41E9FC05EFA5330FD
      Malicious:false
      Preview:/*! jQuery v1.6.4 http://jquery.com/ | http://jquery.org/license */..(function(a,b){function cu(a){return f.isWindow(a)?a:a.nodeType===9?a.defaultView||a.parentWindow:!1}function cr(a){if(!cg[a]){var b=c.body,d=f("<"+a+">").appendTo(b),e=d.css("display");d.remove();if(e==="none"||e===""){ch||(ch=c.createElement("iframe"),ch.frameBorder=ch.width=ch.height=0),b.appendChild(ch);if(!ci||!ch.createElement)ci=(ch.contentWindow||ch.contentDocument).document,ci.write((c.compatMode==="CSS1Compat"?"<!doctype html>":"")+"<html><body>"),ci.close();d=ci.createElement(a),ci.body.appendChild(d),e=f.css(d,"display"),b.removeChild(ch)}cg[a]=e}return cg[a]}function cq(a,b){var c={};f.each(cm.concat.apply([],cm.slice(0,b)),function(){c[this]=a});return c}function cp(){cn=b}function co(){setTimeout(cp,0);return cn=f.now()}function cf(){try{return new a.ActiveXObject("Microsoft.XMLHTTP")}catch(b){}}function ce(){try{return new a.XMLHttpRequest}catch(b){}}function b$(a,c){a.dataFilter&&(c=a.dataFilter(c,a.d

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\mediaget-logo.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 136 x 135, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):14680
      Entropy (8bit):7.975231268423949
      Encrypted:false
      SSDEEP:192:TSHIIHUCD4waY5iW8C6HYTSH4DduFk09rhQ+zXckMC2a03SIDwwdv9YPjBKCvJNQ:G50wL5VzSH4keQ5zNjQNwwdvUVZWKT2
      MD5:A27C51E0821FF975C33C70578BBE1D97
      SHA1:E067C98EC18DA0264209247A898958334778DDFC
      SHA-256:29EBD96D14DEE8E335A674BF093AF7ABFD1CBD931B3277516FBCD037366D1344
      SHA-512:4ECFD3CE91179FD6E59C8FA97322EF36A46C773FD608577343D96C97492D39F6DA42E7926C67883A3C48782A5293D1FA71D043380ACC0D8A41538241F1ED0395
      Malicious:false
      Preview:.PNG........IHDR.....................pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\preloader.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):352
      Entropy (8bit):5.266036294387012
      Encrypted:false
      SSDEEP:6:h4QK/TJyVK50RfHmf7JY7E8Mjq2UpeaMQoNev1d7rv0SyZRWAtfGb:hPCxSmtGEzj6pXoNKd7b0rZzBGb
      MD5:3E2A88C55776A6118C91B8B11D5211A3
      SHA1:E42024445C7859365C52C305B08B50152BD1E256
      SHA-256:57B689D69089B3DE9BE51928FE6C9A08664F986BC68EBABBB886BF3C26B1EC03
      SHA-512:706232D6C903955385AB95248E46BF293ED457AAF56B4095B023C782892D5A702B1DA1E69F3DE8FA81A9140D1E0F90C0DFCA5F7D28071DA3E3318DBBA9477F26
      Malicious:false
      Preview:<!DOCTYPE html>..<html>.. <head>.. <style>.. body {....background-color: rgb(230,230,230);.. }.. </style>.. </head>.. <body>.. <div style="position:absolute;left:40px;top:40px;"><img src="mediaget-logo.png"></div>.. <div style='position:absolute;left:230px;top:150px; font-size: 20px; face: Calibri'><b>Please wait...</b></div>.. </body>..</html>

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\stub.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):262
      Entropy (8bit):5.186582224778847
      Encrypted:false
      SSDEEP:6:hn8FQiowadCc4svmz2vyW3tL6QcjWR0NNEXW0YFb/0MIYpfGu:hnMQbwuOCvyg96Qclfd/LIYNGu
      MD5:3CBCD0750AF01FCE7CAEBAA5CC3A53C7
      SHA1:F3C8BB3D74D60C45A7B36A636D1D42DAF8E73611
      SHA-256:337518A9EEB31E8DB3F44146FB601167E09FD5F4F541A9D75769165A975A2CA9
      SHA-512:3AD80DF1CEE12F7B714B36C6F40A67A6C4B1DFB0447E1FDF8092B4F11E4D17CE68043EDC102160B5D61485504BB0BF22EF71C7C222F7D82DB0F92757B9D2CFFB
      Malicious:false
      Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">..<html>..<head>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<title></title>..</head>..<body>..<center>..</center>..</body>..</html>..

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
      Entropy (8bit):7.9604031747484205
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.66%
      • UPX compressed Win32 Executable (30571/9) 0.30%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:ExeFile (200).exe
      File size:796'552 bytes
      MD5:f5d9021bf02680122ef5de324eb173b2
      SHA1:e69e5676df042c1c54d9167d43646d5a89e4384c
      SHA256:4df448b9c01fb42bdf6482f214bdb005a27396206c8b81a40bc63782c2404eca
      SHA512:2245761ffeffbf90d321b74684a25bf75c73e16594806c14b81a2afb9605e358f5b3a5d7ddd177fb5deb207cc29e065381a4cb15bb95b798ef48b5d321693450
      SSDEEP:24576:fEifyPr6VykH1rBM6B8pfrCeG01qPx1q90i8dcE3b:f5y8JpBQ+eWyocI
      TLSH:CE052350CC23711EF4A2DCBDA9B3E46D28B2B521DEBB2927C224ED4D5E6B2F7911510C
      File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........2._.\\_.\\_.\\A..\].\\A..\Q.\\...\W.\\x]1\W.\\_.]\..\\x]'\D.\\A..\9.\\A..\Q.\\V..\V.\\V..\^.\\A..\b.\\A..\^.\\_..\^.\\A..\^.\

      File Icon

      Icon Hash:0b1944568dc9670e

      Static PE Info

      General

      Entrypoint:0x5542f0
      Entrypoint Section:UPX1
      Digitally signed:true
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Time Stamp:0x5F356889 [Thu Aug 13 16:21:29 2020 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:5
      OS Version Minor:0
      File Version Major:5
      File Version Minor:0
      Subsystem Version Major:5
      Subsystem Version Minor:0
      Import Hash:4df93d97d4492252024a19a15300482f

      Authenticode Signature

      Signature Valid:true
      Signature Issuer:CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US
      Signature Validation Error:The operation completed successfully
      Error Number:0
      Not Before, Not After
      • 01/09/2020 01:00:00 02/09/2023 00:59:59
      Subject Chain
      • CN=Global Microtrading PTE. LTD, OU=IT, O=Global Microtrading PTE. LTD, L=Singapore, C=SG
      Version:3
      Thumbprint MD5:3571D2A43D0452D16321E8A34FDD412C
      Thumbprint SHA-1:7B6E285393B4F4A57241D0AFD183649D83EFAB30
      Thumbprint SHA-256:D3F6324BE081B932A99FACD45590264DCA6FD06DB6681B3D868FD65301B16209
      Serial:1DDA30FE3206C23D83CBDB7638C09051

      Entrypoint Preview

      Instruction
      pushad
      mov esi, 004FD000h
      lea edi, dword ptr [esi-000FC000h]
      push edi
      jmp 00007FE7D4B719FDh
      nop
      mov al, byte ptr [esi]
      inc esi
      mov byte ptr [edi], al
      inc edi
      add ebx, ebx
      jne 00007FE7D4B719F9h
      mov ebx, dword ptr [esi]
      sub esi, FFFFFFFCh
      adc ebx, ebx
      jc 00007FE7D4B719DFh
      mov eax, 00000001h
      add ebx, ebx
      jne 00007FE7D4B719F9h
      mov ebx, dword ptr [esi]
      sub esi, FFFFFFFCh
      adc ebx, ebx
      adc eax, eax
      add ebx, ebx
      jnc 00007FE7D4B719FDh
      jne 00007FE7D4B71A1Ah
      mov ebx, dword ptr [esi]
      sub esi, FFFFFFFCh
      adc ebx, ebx
      jc 00007FE7D4B71A11h
      dec eax
      add ebx, ebx
      jne 00007FE7D4B719F9h
      mov ebx, dword ptr [esi]
      sub esi, FFFFFFFCh
      adc ebx, ebx
      adc eax, eax
      jmp 00007FE7D4B719C6h
      add ebx, ebx
      jne 00007FE7D4B719F9h
      mov ebx, dword ptr [esi]
      sub esi, FFFFFFFCh
      adc ebx, ebx
      adc ecx, ecx
      jmp 00007FE7D4B71A44h
      xor ecx, ecx
      sub eax, 03h
      jc 00007FE7D4B71A03h
      shl eax, 08h
      mov al, byte ptr [esi]
      inc esi
      xor eax, FFFFFFFFh
      je 00007FE7D4B71A67h
      sar eax, 1
      mov ebp, eax
      jmp 00007FE7D4B719FDh
      add ebx, ebx
      jne 00007FE7D4B719F9h
      mov ebx, dword ptr [esi]
      sub esi, FFFFFFFCh
      adc ebx, ebx
      jc 00007FE7D4B719BEh
      inc ecx
      add ebx, ebx
      jne 00007FE7D4B719F9h
      mov ebx, dword ptr [esi]
      sub esi, FFFFFFFCh
      adc ebx, ebx
      jc 00007FE7D4B719B0h
      add ebx, ebx
      jne 00007FE7D4B719F9h
      mov ebx, dword ptr [esi]
      sub esi, FFFFFFFCh
      adc ebx, ebx
      adc ecx, ecx
      add ebx, ebx
      jnc 00007FE7D4B719E1h
      jne 00007FE7D4B719FBh
      mov ebx, dword ptr [esi]
      sub esi, FFFFFFFCh
      adc ebx, ebx
      jnc 00007FE7D4B719D6h
      add ecx, 02h
      cmp ebp, FFFFFB00h
      adc ecx, 02h
      lea edx, dword ptr [edi+ebp]
      cmp ebp, FFFFFFFCh
      jbe 00007FE7D4B71A00h
      mov al, byte ptr [edx]

      Rich Headers

      Programming Language:
      • [IMP] VS2008 build 21022
      • [ASM] VS2008 build 21022
      • [ C ] VS2005 build 50727
      • [IMP] VS2005 build 50727
      • [ C ] VS2008 build 21022
      • [ C ] VS2008 SP1 build 30729
      • [C++] VS2008 SP1 build 30729
      • [C++] VS2008 build 21022
      • [RES] VS2008 build 21022
      • [LNK] VS2008 build 21022

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x1bc59c0x304.rsrc
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1550000x6759c.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0xbf4000x3388UPX0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1bc8a00x10.rsrc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1544d40x48UPX1
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      UPX00x10000xfc0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      UPX10xfd0000x580000x576006673a2846b78919c209dac22fbeb5ad7False0.9912011579041488data7.9199376549288605IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .rsrc0x1550000x680000x67a00daaa512576535c06f65ebe99b93c7cbbFalse0.9743619948733414data7.961300068530892IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

      Resources

      NameRVASizeTypeLanguageCountryZLIB Complexity
      ARCHIVE_7Z0x1553480x5eccb7-zip archive data, version 0.3RussianRussia1.000324492208324
      ARCHIVE_7Z0x1b40180x3b967-zip archive data, version 0.3RussianRussia1.0007211223285695
      RT_ICON0x1b7bb40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.44543568464730293
      RT_ICON0x1ba1600x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.5372889305816135
      RT_ICON0x1bb20c0x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.4840163934426229
      RT_ICON0x1bbb980x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.4583333333333333
      RT_DIALOG0x140fe80x110dataEnglishUnited States1.0404411764705883
      RT_ACCELERATOR0x1410f80x70dataEnglishUnited States1.0982142857142858
      RT_GROUP_ICON0x1bc0040x3edataEnglishUnited States0.8064516129032258
      RT_VERSION0x1bc0480x21cdataEnglishUnited States0.4962962962962963
      RT_MANIFEST0x1bc2680x334ASCII text, with very long lines (588), with CRLF line terminatorsEnglishUnited States0.5073170731707317
      None0x1416f80xaadataEnglishUnited States1.0647058823529412

      Imports

      DLLImport
      ADVAPI32.dllFreeSid
      COMCTL32.dllImageList_GetIcon
      CRYPT32.dllCertOpenStore
      GDI32.dllBitBlt
      KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
      MSVCR90.dllfeof
      ole32.dllOleRun
      OLEAUT32.dllVariantChangeType
      PSAPI.DLLEnumProcesses
      SHELL32.dll
      SHLWAPI.dllPathCombineW
      USER32.dllGetDC
      WININET.dllInternetOpenW
      WS2_32.dllgetpeername

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      RussianRussia
      EnglishUnited States

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Aug 20, 2024 16:36:33.775501013 CEST4973680192.168.2.4185.130.105.44
      Aug 20, 2024 16:36:33.782970905 CEST8049736185.130.105.44192.168.2.4
      Aug 20, 2024 16:36:33.783116102 CEST4973680192.168.2.4185.130.105.44
      Aug 20, 2024 16:36:33.783361912 CEST4973680192.168.2.4185.130.105.44
      Aug 20, 2024 16:36:33.791522026 CEST8049736185.130.105.44192.168.2.4
      Aug 20, 2024 16:36:34.413347006 CEST8049736185.130.105.44192.168.2.4
      Aug 20, 2024 16:36:34.413419008 CEST4973680192.168.2.4185.130.105.44
      Aug 20, 2024 16:38:23.703824043 CEST4973680192.168.2.4185.130.105.44
      Aug 20, 2024 16:38:23.709274054 CEST8049736185.130.105.44192.168.2.4
      Aug 20, 2024 16:38:23.709367990 CEST4973680192.168.2.4185.130.105.44

      UDP Packets

      TimestampSource PortDest PortSource IPDest IP
      Aug 20, 2024 16:36:33.734426022 CEST4963453192.168.2.41.1.1.1
      Aug 20, 2024 16:36:33.755599976 CEST53496341.1.1.1192.168.2.4

      DNS Queries

      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
      Aug 20, 2024 16:36:33.734426022 CEST192.168.2.41.1.1.10x3c46Standard query (0)install.mediaget.comA (IP address)IN (0x0001)false

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Aug 20, 2024 16:36:33.755599976 CEST1.1.1.1192.168.2.40x3c46No error (0)install.mediaget.comlb-ks-1.mediaget.comCNAME (Canonical name)IN (0x0001)false
      Aug 20, 2024 16:36:33.755599976 CEST1.1.1.1192.168.2.40x3c46No error (0)lb-ks-1.mediaget.com185.130.105.44A (IP address)IN (0x0001)false
      Aug 20, 2024 16:36:33.755599976 CEST1.1.1.1192.168.2.40x3c46No error (0)lb-ks-1.mediaget.com193.0.201.29A (IP address)IN (0x0001)false

      HTTP Request Dependency Graph

      • install.mediaget.com

      HTTP Packets

      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
      0192.168.2.449736185.130.105.44807432C:\Users\user\Desktop\ExeFile (200).exe
      TimestampBytes transferredDirectionData
      Aug 20, 2024 16:36:33.783361912 CEST359OUTGET /index2.php HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
      Host: install.mediaget.com
      Content-Length: 124
      Cache-Control: no-cache
      Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 6d 65 64 69 61 67 65 74 49 6e 73 74 61 6c 6c 65 72 20 66 69 6c 65 5f 6e 61 6d 65 3d 22 45 78 65 46 69 6c 65 20 28 32 30 30 29 2e 65 78 65 22 20 61 63 74 69 6f 6e 3d 22 73 74 61 72 74 22 20 73 74 61 74 56 65 72 73 69 6f 6e 3d 22 33 39 39 22 2f 3e 0a 0a
      Data Ascii: <?xml version="1.0" encoding="UTF-8"?><mediagetInstaller file_name="ExeFile (200).exe" action="start" statVersion="399"/>
      Aug 20, 2024 16:36:34.413347006 CEST192INHTTP/1.1 200 OK
      Content-Type: text/html; charset=UTF-8
      Date: Tue, 20 Aug 2024 14:36:34 GMT
      Server: openresty
      Vary: Accept-Encoding
      X-Powered-By: PHP/5.6.32
      Content-Length: 9
      Data Raw: 38 38 30 37 35 31 39 37 35
      Data Ascii: 880751975


      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      System Behavior

      General

      Target ID:0
      Start time:10:36:31
      Start date:20/08/2024
      Path:C:\Users\user\Desktop\ExeFile (200).exe
      Wow64 process (32bit):true
      Commandline:"C:\Users\user\Desktop\ExeFile (200).exe"
      Imagebase:0xc30000
      File size:796'552 bytes
      MD5 hash:F5D9021BF02680122EF5DE324EB173B2
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:false

      Disassembly

      Reset < >

        Executed Functions

        Function 00C66C20 Relevance: 74.3, APIs: 29, Strings: 13, Instructions: 783networkfilesleepCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00C66CD0
        • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00C67173
        • GetLastError.KERNEL32 ref: 00C6718A
        • GetLastError.KERNEL32 ref: 00C66CEA
          • Part of subcall function 00C6D850: FormatMessageW.KERNEL32(00001100,00000000,?,00000800,?,00000000,00000000,?,?,?,0000000F), ref: 00C6D8DF
          • Part of subcall function 00C6D850: GetLastError.KERNEL32(?,?,?,0000000F), ref: 00C6D8E9
          • Part of subcall function 00C6D850: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00C6D98E
          • Part of subcall function 00C6D850: LocalFree.KERNEL32(?), ref: 00C6D951
          • Part of subcall function 00C3AE10: std::_String_base::_Xlen.LIBCPMT ref: 00C3AE5F
        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C66E6A
        • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 00C66E88
        • InternetConnectW.WININET(?,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 00C66EFD
        • HttpOpenRequestW.WININET(?,GET,?,00000000,00000000,00000000,84000000,00000000), ref: 00C66F74
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,00000000,00000000,0000008C,00000068,0000089C,00000000,00C56085), ref: 00C68EFB
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00C68F32
        • InternetQueryOptionW.WININET ref: 00C66FB1
        • InternetSetOptionW.WININET(?,0000001F,?,00000004), ref: 00C66FC9
        • HttpSendRequestW.WININET(?,00000000,00000000,?,?), ref: 00C66FF9
        • HttpQueryInfoW.WININET ref: 00C67029
        • GetTickCount.KERNEL32 ref: 00C67065
        • GetTickCount.KERNEL32 ref: 00C67086
        • InternetReadFile.WININET(?,?,0000FFFF,?), ref: 00C670BA
        • GetLastError.KERNEL32 ref: 00C670C8
        • GetTickCount.KERNEL32 ref: 00C67329
        • GetLastError.KERNEL32 ref: 00C673F0
        • GetLastError.KERNEL32 ref: 00C67430
          • Part of subcall function 00C48CA0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00C48D3A
        • GetLastError.KERNEL32 ref: 00C674AF
        • SetEndOfFile.KERNEL32(?), ref: 00C6754A
        • GetLastError.KERNEL32 ref: 00C675CD
        • CloseHandle.KERNEL32(?), ref: 00C67663
        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00C67695
        • Sleep.KERNEL32(000003E8), ref: 00C676A3
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ErrorLast$File$Internet$CountHttpTick$ByteCharCreateIos_base_dtorMultiOpenOptionQueryRequestWidestd::ios_base::_$CloseConnectFormatFreeHandleInfoLocalMessagePointerReadSendSleepString_base::_WriteXlenstd::_
        • String ID: - $404$Can't create file $Can't open internet connection: $Can't open internet request: $Can't open internet session: $Can't send internet request: $Error in InternetReadFile: $GET$Not Found$Unable to write in file: $https$not found
        • API String ID: 3689052399-209034117
        • Opcode ID: 46e8c8d8f68fbc6e17c267d75eb8a8bf4d9bdd574408784ce4f2531ff00c23b2
        • Instruction ID: 4f4d0c3d799a8265ef595820c37e26efff8fd15000d3419aa449bb3b9186eb20
        • Opcode Fuzzy Hash: 46e8c8d8f68fbc6e17c267d75eb8a8bf4d9bdd574408784ce4f2531ff00c23b2
        • Instruction Fuzzy Hash: 11627FB15087809FD330DF65C8C5B9BB7E9BB98304F104E2DF1AA87291DB74A944DB62
        Function 00C783C0 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 227libraryloaderthreadCOMMON
        Download Yara Rule
        APIs
        • InterlockedIncrement.KERNEL32(00D07454), ref: 00C783EC
        • CloseHandle.KERNEL32(00000000,00000000), ref: 00C784DB
        • RtlInitializeCriticalSection.NTDLL(0000009C), ref: 00C7852D
        • CreateSemaphoreW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00C7853E
        • CreateSemaphoreW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00C7854B
        • CreateThread.KERNEL32(00000000,00010000,Function_00047760,00000000,00000000,00000007), ref: 00C78571
        • LoadLibraryW.KERNEL32(dbghelp.dll), ref: 00C78588
        • GetProcAddress.KERNEL32(00000000,MiniDumpWriteDump), ref: 00C7859D
        • LoadLibraryW.KERNEL32(rpcrt4.dll), ref: 00C785A7
        • GetProcAddress.KERNEL32(00000000,UuidCreate), ref: 00C785B6
        • RtlInitializeCriticalSection.NTDLL(00D07434), ref: 00C785F8
        • RtlEnterCriticalSection.NTDLL(00D07434), ref: 00C7860D
        • SetUnhandledExceptionFilter.KERNEL32(00C78180,00000000), ref: 00C7866A
        • RtlLeaveCriticalSection.NTDLL(00D07434), ref: 00C786AB
          • Part of subcall function 00C77800: CloseHandle.KERNEL32(?,00000000,00000000,00C78512), ref: 00C77812
          • Part of subcall function 00C77800: CloseHandle.KERNEL32(?,00000000,00000000,00C78512), ref: 00C7781C
          • Part of subcall function 00C77800: CloseHandle.KERNEL32(?,00000000,00000000,00C78512), ref: 00C77826
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CloseCriticalHandleSection$Create$AddressInitializeLibraryLoadProcSemaphore$EnterExceptionFilterIncrementInterlockedLeaveThreadUnhandled
        • String ID: MiniDumpWriteDump$UuidCreate$dbghelp.dll$rpcrt4.dll
        • API String ID: 57612072-801898421
        • Opcode ID: ae100350f596454ac5686767aa581b53fd1b8d2e3433b70e47b60327c76f6d4a
        • Instruction ID: 8c15779a90eb80e283423b9795c7e6723d51527702e5e605c488e070dcb3fb4c
        • Opcode Fuzzy Hash: ae100350f596454ac5686767aa581b53fd1b8d2e3433b70e47b60327c76f6d4a
        • Instruction Fuzzy Hash: 2981B3B1A447409FD760DF35C885B6AFBE5BB84710F54892EF2AE87351DB30A904CB52
        Function 00C654F0 Relevance: 18.1, APIs: 12, Instructions: 90COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C601F0: RtlEnterCriticalSection.NTDLL(00D078D0), ref: 00C601FC
          • Part of subcall function 00C601F0: RegisterClipboardFormatW.USER32(WM_ATLGETHOST), ref: 00C6020D
          • Part of subcall function 00C601F0: RegisterClipboardFormatW.USER32(WM_ATLGETCONTROL), ref: 00C60219
          • Part of subcall function 00C601F0: GetClassInfoExW.USER32(00C30000,AtlAxWin90,?), ref: 00C60240
          • Part of subcall function 00C601F0: LoadCursorW.USER32 ref: 00C6027E
          • Part of subcall function 00C601F0: RegisterClassExW.USER32 ref: 00C602A1
          • Part of subcall function 00C601F0: GetClassInfoExW.USER32(00C30000,AtlAxWinLic90,?), ref: 00C602EA
          • Part of subcall function 00C601F0: LoadCursorW.USER32 ref: 00C60322
          • Part of subcall function 00C601F0: RegisterClassExW.USER32 ref: 00C60345
        • FindResourceW.KERNEL32 ref: 00C65516
        • FindResourceW.KERNEL32(?,?,000000F0), ref: 00C65529
        • LoadResource.KERNEL32(?,00000000), ref: 00C65539
        • LockResource.KERNEL32(00000000), ref: 00C6553C
        • LoadResource.KERNEL32(?,00000000), ref: 00C6554E
        • LockResource.KERNEL32(00000000), ref: 00C65555
        • CreateDialogIndirectParamW.USER32(?,00000000,?,?,?), ref: 00C6557E
        • GetLastError.KERNEL32 ref: 00C6558A
        • GlobalHandle.KERNEL32(00000000), ref: 00C65599
        • GlobalFree.KERNEL32(00000000), ref: 00C655A0
        • GetLastError.KERNEL32 ref: 00C655A8
        • SetLastError.KERNEL32(00000000), ref: 00C655BF
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Resource$ClassLoadRegister$ErrorLast$ClipboardCursorFindFormatGlobalInfoLock$CreateCriticalDialogEnterFreeHandleIndirectParamSection
        • String ID:
        • API String ID: 826518874-0
        • Opcode ID: 4e233486c892613455e3fa46cd3540bd45f10dd1a59678dc7ea0ee5f54c3fe54
        • Instruction ID: 0642681b83992f1ffea52c0ca1471e557327d6ed1f063515558bd18fe794a8e9
        • Opcode Fuzzy Hash: 4e233486c892613455e3fa46cd3540bd45f10dd1a59678dc7ea0ee5f54c3fe54
        • Instruction Fuzzy Hash: 59218E75604741AFC220AB64ACCCB2FB7ACEF89752F150519F941D7200DB74DE058AB2
        Function 00C69C90 Relevance: 15.4, APIs: 10, Instructions: 364fileCOMMON
        Download Yara Rule
        APIs
        • GetFileAttributesW.KERNEL32(?,00000010,00000000), ref: 00C69D7F
        • DeleteFileW.KERNEL32(?), ref: 00C69D8B
        • FindFirstFileW.KERNEL32(00000000,?), ref: 00C69E5A
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: File$AttributesDeleteFindFirst
        • String ID:
        • API String ID: 1749635688-0
        • Opcode ID: 0dacfa7647c75e097f07ca0c3c799874b76eadddcf18bcc87ca7d76bd2552042
        • Instruction ID: 58d3b8fe055c361853a2c1055ac39713adc4dbe4361ba806409fc7589b390fab
        • Opcode Fuzzy Hash: 0dacfa7647c75e097f07ca0c3c799874b76eadddcf18bcc87ca7d76bd2552042
        • Instruction Fuzzy Hash: A5D1CEB14083819BD330EB24C8C5B9FB7E9AFA5704F040A2DF59697291E736DA45CB93
        Function 00CD5107 Relevance: 10.6, APIs: 7, Instructions: 59memoryCOMMON
        Download Yara Rule
        APIs
        • GetProcessHeap.KERNEL32(00000000,0000000D,?,00C510CE,?,00C505AB,00000000), ref: 00CD5088
        • RtlAllocateHeap.NTDLL(00000000,?,00C505AB), ref: 00CD508F
          • Part of subcall function 00CD4FA0: IsProcessorFeaturePresent.KERNEL32(0000000C,00CD5076,?,00C510CE,?,00C505AB,00000000), ref: 00CD4FA2
        • RtlInterlockedPopEntrySList.NTDLL(014274A0), ref: 00CD509C
        • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00C505AB,00000000), ref: 00CD50B1
        • RtlInterlockedPopEntrySList.NTDLL(?), ref: 00CD50CA
        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00C505AB,00000000), ref: 00CD50DE
        • RtlInterlockedPushEntrySList.NTDLL(00000000), ref: 00CD50F5
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: EntryInterlockedList$HeapVirtual$AllocAllocateFeatureFreePresentProcessProcessorPush
        • String ID:
        • API String ID: 1137860932-0
        • Opcode ID: e3558d2ec0094ec2317d1a0e1e5ebce494623e7544aa386e13ee65822707db6f
        • Instruction ID: 4cecb4af5d413893a5a3829fcbcac91da66f008d3898b0485f936bca1ed42272
        • Opcode Fuzzy Hash: e3558d2ec0094ec2317d1a0e1e5ebce494623e7544aa386e13ee65822707db6f
        • Instruction Fuzzy Hash: 3E014431A48711A7DB316768BC4CF6A27A9EB40751F154022FB95DA390DB71EC41DAB0
        Function 00D842F0 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
        Download Yara Rule
        APIs
        • LoadLibraryA.KERNEL32(?), ref: 00D8442A
        • GetProcAddress.KERNEL32(?,00D7CFF9), ref: 00D84448
        • ExitProcess.KERNEL32(?,00D7CFF9), ref: 00D84459
        • VirtualProtect.KERNEL32(00C30000,00001000,00000004,?,00000000), ref: 00D844A7
        • VirtualProtect.KERNEL32(00C30000,00001000), ref: 00D844BC
        Memory Dump Source
        • Source File: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
        • String ID:
        • API String ID: 1996367037-0
        • Opcode ID: e425c2295188aff8d805430eae56c9bdd61b488a7441a1ff012b4af64efa94d4
        • Instruction ID: 089fceefa096b639de2f0946808cc7d0e1abb5b23835941b4c067fd839309195
        • Opcode Fuzzy Hash: e425c2295188aff8d805430eae56c9bdd61b488a7441a1ff012b4af64efa94d4
        • Instruction Fuzzy Hash: DF51F3B2A953535BD720AEBC9CC06A4B7A4EB5232472C0739C5E6C77C6E7E0590687B0
        Function 00C72640 Relevance: 6.0, APIs: 4, Instructions: 50processCOMMON
        Download Yara Rule
        APIs
        • CreateToolhelp32Snapshot.KERNEL32 ref: 00C72677
        • Process32FirstW.KERNEL32(00000000,00000002), ref: 00C72684
        • Process32NextW.KERNEL32(00000000,?), ref: 00C726A9
        • FindCloseChangeNotification.KERNEL32(00000000,00000000,00000002), ref: 00C726B8
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
        • String ID:
        • API String ID: 3243318325-0
        • Opcode ID: 2445e3fca72072c65838b81dd8be960e16c067c090641c4da59ae67f15f66690
        • Instruction ID: 5634a3518e068531986ea95184b2dc9e40340af443525b60ef307454795da00a
        • Opcode Fuzzy Hash: 2445e3fca72072c65838b81dd8be960e16c067c090641c4da59ae67f15f66690
        • Instruction Fuzzy Hash: 1A0184716053006FE224EB65DC8AF6FB3E8FFD4350F50492EF65986240EB749E0486A3
        Function 00C56030 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107pipeCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,00000000,00000000,0000008C,00000068,0000089C,00000000,00C56085), ref: 00C68EFB
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00C68F32
        • CreateNamedPipeW.KERNEL32(?,40080003,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00C560B1
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiWide$CreateNamedPipe
        • String ID: CreateNamedPipe failed: $\\.\pipe\
        • API String ID: 3952897411-3071662798
        • Opcode ID: 26d475a454a51875766099eb0231a9ff59b2c7fbc54d568fce7a6da54a4133d1
        • Instruction ID: 30a8aed0d1c6457dc00cd0580c55b3a0cc4f82861d3252d9195d89be6b5a3e25
        • Opcode Fuzzy Hash: 26d475a454a51875766099eb0231a9ff59b2c7fbc54d568fce7a6da54a4133d1
        • Instruction Fuzzy Hash: 3B31AEF6408740AFD700DF649881A5BB7E8EB94314F444A2EF59683382E735E948CBA7
        Function 00C58140 Relevance: 40.6, APIs: 21, Strings: 2, Instructions: 353windowthreadCOMMON
        Download Yara Rule
        APIs
        • GetCurrentThreadId.KERNEL32 ref: 00C58171
        • RtlEnterCriticalSection.NTDLL(00D06BB8), ref: 00C58185
        • RtlLeaveCriticalSection.NTDLL(00D06BB8), ref: 00C5819E
        • LoadBitmapW.USER32(00C30000,000000CD), ref: 00C58200
        • GetDlgItem.USER32(?,000003EB), ref: 00C5823C
        • ShowWindow.USER32(?,00000000,?,000003EB,?), ref: 00C58252
        • LoadBitmapW.USER32(00C30000,000000CE), ref: 00C5828F
        • SetWindowLongW.USER32(?,000000F0,00000000,?,000003EB,?), ref: 00C582BB
        • ShowWindow.USER32(000000F0,00000000,?,000000F0,00000000,?,000003EB,?), ref: 00C582C6
        • ShowWindow.USER32(?,00000000,?,000000F0,00000000,?,000003EB,?), ref: 00C582D4
        • GetDlgItem.USER32(?,000003E8), ref: 00C582E2
        • LoadImageW.USER32(00C30000,000000DB), ref: 00C58322
        • 73A1A570.USER32(00000000), ref: 00C5832F
        • MulDiv.KERNEL32(0000000A,00000000), ref: 00C58347
        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,000001F4,00000000,00000000,00000000,00000001,00000000,00000000,00000004,00000000,Tahoma), ref: 00C58375
        • SetWindowPos.USER32(?,00000000,00000000,00000000,000002A8,00000136,00000202), ref: 00C58396
          • Part of subcall function 00C58630: GetParent.USER32 ref: 00C58663
          • Part of subcall function 00C58630: GetWindowRect.USER32(?,?), ref: 00C5867C
          • Part of subcall function 00C58630: MonitorFromWindow.USER32(?,00000002), ref: 00C586B0
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,00000000,00000000,0000008C,00000068,0000089C,00000000,00C56085), ref: 00C68EFB
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00C68F32
        • SetWindowTextW.USER32(?,?), ref: 00C5840A
        • InterlockedDecrement.KERNEL32(?), ref: 00C58423
        • LoadImageW.USER32(00C30000,00000080), ref: 00C5853A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Window$Load$Show$BitmapByteCharCriticalImageItemMultiSectionWide$A570CreateCurrentDecrementEnterFontFromInterlockedLeaveLongMonitorParentRectTextThread
        • String ID: Quit installation$Tahoma
        • API String ID: 367893165-1570944880
        • Opcode ID: 70e062680b3f4de0c7213371ab600404e54b2fe69f88ba6dada975563491bfc9
        • Instruction ID: eb439988c64619defe2562e982d2e9726808ebc225416c9aa5d49d263142918c
        • Opcode Fuzzy Hash: 70e062680b3f4de0c7213371ab600404e54b2fe69f88ba6dada975563491bfc9
        • Instruction Fuzzy Hash: CFD188B1504745AFD710EF64CC85B6BB7ECFB84304F004A1DF5AA9B291EB74A948CB62
        Function 00C53650 Relevance: 36.1, APIs: 2, Strings: 18, Instructions: 1093COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: FailCnt: $ $!$CRC error$Can't allocate memory$Can't close output file $Can't create directory $Can't open output file $Can't write output file $Decoder doesn't support this archive$Error $Memory$Resource: $SZ_ERROR_FAIL: $Sha1: $Size: $Unable to load resource $Unable to open
        • API String ID: 0-33340204
        • Opcode ID: 9f431862dbc64320a20e82209022440b5a4bcdb5bde773c76caebf497b47b259
        • Instruction ID: 850b6466abde4c4350b7e664dda7d4bfa70fcd9bbf84c31ba7c622a0cafe6c1f
        • Opcode Fuzzy Hash: 9f431862dbc64320a20e82209022440b5a4bcdb5bde773c76caebf497b47b259
        • Instruction Fuzzy Hash: 4BA28CB55083809BC734DF65C881A9FB7E9AFD4305F004E2DF69987241DB70A688DBA7
        Function 00C64570 Relevance: 26.7, APIs: 4, Strings: 11, Instructions: 434synchronizationCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C3B030: std::_String_base::_Xlen.LIBCPMT ref: 00C3B08C
          • Part of subcall function 00C69360: RegCreateKeyExW.KERNEL32(?,?,00000000,00000000,00000000,00000002,00000000,?,?,0000000F,00000010,00000000,?,00000000,00000000), ref: 00C6939B
          • Part of subcall function 00C6B130: GetModuleFileNameW.KERNEL32(00000000,?,00000105,05A2C2A1), ref: 00C6B1B8
          • Part of subcall function 00C75AB0: GetCurrentProcessId.KERNEL32(05A2C2A1,00000000), ref: 00C75B29
        • CreateMutexW.KERNEL32(00000000,00000001,?,?,?,?,--crashed,00000009,?), ref: 00C64808
        • GetLastError.KERNEL32(?,?,?,--crashed,00000009,?), ref: 00C64812
          • Part of subcall function 00C6CF50: MessageBoxW.USER32(00000000,?,-00000004,00000010), ref: 00C6CFC6
          • Part of subcall function 00C44320: Sleep.KERNEL32(00000064,00000000,05A2C2A1), ref: 00C443A9
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Create$CurrentErrorFileLastMessageModuleMutexNameProcessSleepString_base::_Xlenstd::_
        • String ID: ) - $--crashed$--loader$--reseller$--silent$--subid$--test$-installer-singleapplication-mutex$Unable to create temporary directory ($false$hasDownloadedUpdate
        • API String ID: 2873531572-663848665
        • Opcode ID: 5835432339c2915f16d0783e683714a9bba283379f36408233a54a9387c2b560
        • Instruction ID: ce14ad24e35da7ed49c3232e6b4e3f5192f133b4a1f0e4a32b0cbb9f42a9befa
        • Opcode Fuzzy Hash: 5835432339c2915f16d0783e683714a9bba283379f36408233a54a9387c2b560
        • Instruction Fuzzy Hash: 52F196B14087809BD734EB70D982B9FB7E8AF94304F44482DF69957152EB35DA08DB63
        Function 00C60E00 Relevance: 24.3, APIs: 16, Instructions: 316memoryCOMMON
        Download Yara Rule
        APIs
        • FindResourceW.KERNEL32(00C30000,?,000000F0,05A2C2A1), ref: 00C60E42
        • LoadResource.KERNEL32(00C30000,00000000), ref: 00C60E66
        • LockResource.KERNEL32(00000000), ref: 00C60E6D
        • FindResourceW.KERNEL32(00C30000,?,00000005), ref: 00C60E7D
        • LoadResource.KERNEL32(00C30000,00000000), ref: 00C60E90
        • LockResource.KERNEL32(00000000), ref: 00C60E9B
        • GetWindow.USER32(?,00000005), ref: 00C60EE1
        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00C60F41
        • GlobalFix.KERNEL32(00000000), ref: 00C60F52
        • GlobalUnWire.KERNEL32(00000000), ref: 00C60F6F
        • MapDialogRect.USER32(?,?), ref: 00C6102A
        • SetWindowContextHelpId.USER32(?,00000000), ref: 00C61094
        • SetWindowPos.USER32(?,?,00000000,00000000,00000000,00000000,00000013), ref: 00C610DD
        • SysFreeString.OLEAUT32(?), ref: 00C610F5
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Resource$GlobalWindow$FindLoadLock$AllocContextDialogFreeHelpRectStringWire
        • String ID:
        • API String ID: 3021818-0
        • Opcode ID: 83825df506b4dfc8618ccdace998ebd42bc9c687d7c5273fdedd5d5783bbaf04
        • Instruction ID: 78d73e1a657a43faf43bdb3003b8f1be0b42f96ff06b3937218cea2c5544c044
        • Opcode Fuzzy Hash: 83825df506b4dfc8618ccdace998ebd42bc9c687d7c5273fdedd5d5783bbaf04
        • Instruction Fuzzy Hash: 88B19AB0508351AFC724CF65C881B6FBBE8FB88B41F184919F9959B290D774D981CBA2
        Function 00C4FE90 Relevance: 21.1, APIs: 14, Instructions: 113windowsleepCOMMON
        Download Yara Rule
        APIs
        • CallWindowProcW.USER32(?,?,?,?,?), ref: 00C4FEB1
        • GetDlgCtrlID.USER32(?), ref: 00C4FECA
        • GetParent.USER32(?), ref: 00C4FED8
        • SetCapture.USER32(?), ref: 00C4FEE4
        • PeekMessageW.USER32(00000202,?,00000202,00000202,00000001), ref: 00C4FEFF
        • SendMessageW.USER32(00000000,00000111,?,?), ref: 00C4FF27
        • Sleep.KERNEL32(?), ref: 00C4FF2D
        • PeekMessageW.USER32(00000202,?,00000202,00000202,00000001), ref: 00C4FF4D
        • SendMessageW.USER32(00000000,00000111,?,?), ref: 00C4FF6A
        • ReleaseCapture.USER32 ref: 00C4FF6C
        • SendMessageW.USER32(?,00000202,00000000,00000000), ref: 00C4FF7F
        • GetCursorPos.USER32(?), ref: 00C4FF8E
        • ScreenToClient.USER32(?,?), ref: 00C4FF9D
        • SendMessageW.USER32(?,00000200,00000000,?), ref: 00C4FFBD
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Message$Send$CapturePeek$CallClientCtrlCursorParentProcReleaseScreenSleepWindow
        • String ID:
        • API String ID: 1184555794-0
        • Opcode ID: c5ab78534feac199bfb9fbb4114a3f621837be2dece6281117808d943645a35b
        • Instruction ID: 9863f01e8dd4fbb84b2796b67465f322deb8c55c91fd7d4432cee513f3dde583
        • Opcode Fuzzy Hash: c5ab78534feac199bfb9fbb4114a3f621837be2dece6281117808d943645a35b
        • Instruction Fuzzy Hash: 64311A75244340ABE314CF65DD89F2BB7EDFB88B01F00890DF99687691DA74E805CB61
        Function 00C575E0 Relevance: 19.7, APIs: 13, Instructions: 172windowCOMMON
        Download Yara Rule
        APIs
        • BeginPaint.USER32(?,?,05A2C2A1), ref: 00C57627
        • GetClientRect.USER32(?,?), ref: 00C57641
        • SelectObject.GDI32(00000000,?), ref: 00C5767B
        • StretchBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00C576AA
        • SelectObject.GDI32(00000000,?), ref: 00C576B1
        • StretchBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00C576EB
        • DrawIconEx.USER32(?,?,?,?,00000000,00000000,00000000,00000000,00000003), ref: 00C57711
        • SelectObject.GDI32(?,?), ref: 00C5773E
        • SetBkMode.GDI32(?,00000001), ref: 00C57747
        • DrawTextW.USER32(?,?,000000FF,?,00000124), ref: 00C57771
        • InterlockedDecrement.KERNEL32(?), ref: 00C5778A
        • DeleteDC.GDI32(00000000), ref: 00C577A5
        • EndPaint.USER32(?,?), ref: 00C577B5
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ObjectSelect$DrawPaintStretch$BeginClientDecrementDeleteIconInterlockedModeRectText
        • String ID:
        • API String ID: 784994728-0
        • Opcode ID: 27d895b9c8a898c8cf5a6309d964fb8d0a4d6c66faf3e0349f7ce46b14d78be3
        • Instruction ID: 3848c85439175eeb543d3b4a9b3ffd76e302311333efa75925381e13a5f0d500
        • Opcode Fuzzy Hash: 27d895b9c8a898c8cf5a6309d964fb8d0a4d6c66faf3e0349f7ce46b14d78be3
        • Instruction Fuzzy Hash: CE5118B5208740AFD314DF68DC85F2BB7E9FB88714F108A1CF59A97290DA70E941CB65
        Function 00C52F90 Relevance: 18.3, APIs: 12, Instructions: 279memoryCOMMON
        Download Yara Rule
        APIs
        • SysFreeString.OLEAUT32(?), ref: 00C53052
        • SysStringByteLen.OLEAUT32(?), ref: 00C53133
        • SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 00C5313B
        • SysFreeString.OLEAUT32(?), ref: 00C53155
        • VariantInit.OLEAUT32 ref: 00C531C1
        • VariantClear.OLEAUT32(?), ref: 00C53250
        • SysFreeString.OLEAUT32(?), ref: 00C5325B
        • VariantInit.OLEAUT32(?), ref: 00C5327E
        • VariantChangeType.OLEAUT32 ref: 00C53295
        • VariantClear.OLEAUT32(?), ref: 00C532E6
          • Part of subcall function 00C69BF0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C69C1F
          • Part of subcall function 00C69BF0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000000,00000000,00000000), ref: 00C69C3E
        • VariantClear.OLEAUT32(?), ref: 00C532ED
        • SysFreeString.OLEAUT32(?), ref: 00C532F4
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: StringVariant$ByteFree$Clear$CharInitMultiWide$AllocChangeType
        • String ID:
        • API String ID: 497852104-0
        • Opcode ID: 5b5f1f59d3db675cf42eeb72c680df39487b6f331d43618420bceb642c238df8
        • Instruction ID: 1ae9f304b73589701a2365146b4881be472a0405d06e32c7f2659581f3757817
        • Opcode Fuzzy Hash: 5b5f1f59d3db675cf42eeb72c680df39487b6f331d43618420bceb642c238df8
        • Instruction Fuzzy Hash: B1B18CB56087809FC720DF68C881B5FB7E8BF88741F00491DF99997251D770EA88DBA6
        Function 00C57CF0 Relevance: 16.8, APIs: 11, Instructions: 257commemoryCOMMON
        Download Yara Rule
        APIs
        • OleUninitialize.OLE32 ref: 00C57D92
        • OleInitialize.OLE32(00000000), ref: 00C57DA0
        • GetWindowTextLengthW.USER32(?), ref: 00C57DA7
        • GetWindowTextW.USER32(?,00000000,00000001), ref: 00C57DFE
        • SetWindowTextW.USER32(?,00CE5924), ref: 00C57E0A
        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00C57E26
        • GlobalFix.KERNEL32(00000000), ref: 00C57E42
        • GlobalUnWire.KERNEL32(00000000), ref: 00C57E5D
        • SysFreeString.OLEAUT32(00000000), ref: 00C57E95
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: GlobalTextWindow$AllocFreeInitializeLengthStringUninitializeWire
        • String ID:
        • API String ID: 1289996212-0
        • Opcode ID: cd2d4430a3b69036d1543944a4b291c0bebbde54b4fda7a023383ebefd103bb1
        • Instruction ID: fedb543c371335d0c26222dce1a1f93bfb3dbb90eb8950c5535c414666fe7524
        • Opcode Fuzzy Hash: cd2d4430a3b69036d1543944a4b291c0bebbde54b4fda7a023383ebefd103bb1
        • Instruction Fuzzy Hash: 2C91D279904205DFDB11DFA4DC85FAEBBB8EF88301F144649F816A7290DB74AE84CB64
        Function 00C6DCF0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 293COMMON
        Download Yara Rule
        APIs
        • GetFileAttributesW.KERNEL32(00000000,05A2C2A1,?,?,00000010,00000000), ref: 00C6DD5C
        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00C6DD6B
        • GetLastError.KERNEL32 ref: 00C6DD75
        • GetFileAttributesW.KERNEL32(00000000), ref: 00C6DD8C
        • CreateDirectoryW.KERNEL32(?,00000000,05A2C2A1,?,?,00000010,00000000), ref: 00C6DDAC
        • GetFileAttributesW.KERNEL32(00000000), ref: 00C6E041
        • GetLastError.KERNEL32 ref: 00C6DDBA
          • Part of subcall function 00C69BF0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C69C1F
          • Part of subcall function 00C69BF0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000000,00000000,00000000), ref: 00C69C3E
          • Part of subcall function 00C6D850: FormatMessageW.KERNEL32(00001100,00000000,?,00000800,?,00000000,00000000,?,?,?,0000000F), ref: 00C6D8DF
          • Part of subcall function 00C6D850: GetLastError.KERNEL32(?,?,?,0000000F), ref: 00C6D8E9
          • Part of subcall function 00C6D850: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00C6D98E
          • Part of subcall function 00C3AE10: std::_String_base::_Xlen.LIBCPMT ref: 00C3AE5F
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: AttributesErrorFileLast$ByteCharCreateDirectoryMultiWide$FormatIos_base_dtorMessageString_base::_Xlenstd::_std::ios_base::_
        • String ID: exists and is not a directory
        • API String ID: 2742050257-940336721
        • Opcode ID: 3664640edb7376e79f098dfbc1ad02db47f284b336407bca34fcfc416c0f9ff2
        • Instruction ID: 796ff1bc993bf88c677d785d0470f456047dde9c2f68104a8140ef83a8b4d27c
        • Opcode Fuzzy Hash: 3664640edb7376e79f098dfbc1ad02db47f284b336407bca34fcfc416c0f9ff2
        • Instruction Fuzzy Hash: 2FB1E3B19083809BD730EB64C885B4BB7E9AFD5714F044D1EF18A97381DB759844DBA3
        Function 00C6E8F0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 175COMMON
        Download Yara Rule
        APIs
        • EnumProcesses.PSAPI(?,00001000,?,05A2C2A1,00000000,?,0000000F,00000000,00000000,00CDC67D,000000FF,00C6FD74,00000000,00100001), ref: 00C6E945
        • GetCurrentProcessId.KERNEL32(?,00001000,?,05A2C2A1,00000000,?,0000000F,00000000,00000000,00CDC67D,000000FF,00C6FD74,00000000,00100001), ref: 00C6E9E3
        • OpenProcess.KERNEL32(?,00000000,?), ref: 00C6EA15
        • GetModuleBaseNameW.PSAPI(00000000,00000000,?,000003E8), ref: 00C6EA35
        • FindCloseChangeNotification.KERNEL32(00000000,00000000,?,?,?,00000000,00000026,00000000,00000000,000000FF), ref: 00C6EA9C
          • Part of subcall function 00C55DF0: GetLastError.KERNEL32(00000068,?,00C56B16,?), ref: 00C55DFA
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Process$BaseChangeCloseCurrentEnumErrorFindLastModuleNameNotificationOpenProcesses
        • String ID: not found$EnumProcesses error: $Process
        • API String ID: 2225575167-343186101
        • Opcode ID: 8759e19d06eff7acaaec39ad3c594595c9ace542f7e1ab778099022193d8a5d7
        • Instruction ID: 38a491424d6940a6a66e6260646a6c7eb4d126a7994a763581bd3f05c6f601c0
        • Opcode Fuzzy Hash: 8759e19d06eff7acaaec39ad3c594595c9ace542f7e1ab778099022193d8a5d7
        • Instruction Fuzzy Hash: 7561A3B55083809BD330EB64D885BDBB7E9EBC4704F504E2EF199872C1DBB1A544DBA2
        Function 00C6F260 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 170fileCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,05A2C2A1,0000000F,?,00000000), ref: 00C6F2A3
        • GetFileSizeEx.KERNEL32(00000000,?), ref: 00C6F333
        • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00C6F38B
        • FindCloseChangeNotification.KERNEL32(00000000), ref: 00C6F3AF
          • Part of subcall function 00C55DF0: GetLastError.KERNEL32(00000068,?,00C56B16,?), ref: 00C55DFA
          • Part of subcall function 00C3AE10: std::_String_base::_Xlen.LIBCPMT ref: 00C3AE5F
        • CloseHandle.KERNEL32(00000000), ref: 00C6F488
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: File$Close$ChangeCreateErrorFindHandleLastNotificationReadSizeString_base::_Xlenstd::_
        • String ID: CreateFile error: $GetFileSizeEx error: $ReadFile error:
        • API String ID: 2865982651-1889545721
        • Opcode ID: ee0f359e8470957bb2e471bfbb756b46afc8a5bc4f979a5c6da388a04988d89c
        • Instruction ID: 5840f4d334e2b0b0c322cf6313448cf80e10ed69d6a6c1e2bf5dc47da4851205
        • Opcode Fuzzy Hash: ee0f359e8470957bb2e471bfbb756b46afc8a5bc4f979a5c6da388a04988d89c
        • Instruction Fuzzy Hash: 4D518AB5508380AFD720EB64D881F6FB7E9AFD8704F404A2DF59987281DB74E9058B63
        Function 00C53A47 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 261COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: FailCnt: $!$Memory$SZ_ERROR_FAIL: $Sha1: $Size:
        • API String ID: 0-4105679911
        • Opcode ID: 2d347218709fb36056870f950f7076156707f1221f171079af0f20bf0b5d728f
        • Instruction ID: 8b0385dace5e47dc9e093e18e8d8766d3dd9fb0069259f368852e7863c8b6e9a
        • Opcode Fuzzy Hash: 2d347218709fb36056870f950f7076156707f1221f171079af0f20bf0b5d728f
        • Instruction Fuzzy Hash: 0BA18DB19083819BC734EF64D885BDFB7E9BBC4304F404A2DF59D87242DB7096489BA6
        Function 00C8DFE0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 190COMMON
        Download Yara Rule
        APIs
        • AssocQueryStringW.SHLWAPI(00000000,00000002,http,open,00000000,?), ref: 00C8E031
        • AssocQueryStringW.SHLWAPI(00000000,00000002,http,open,?,?), ref: 00C8E051
          • Part of subcall function 00C48CA0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00C48D3A
          • Part of subcall function 00C3AD10: std::_String_base::_Xlen.LIBCPMT ref: 00C3AD4A
          • Part of subcall function 00C3AD10: std::_String_base::_Xlen.LIBCPMT ref: 00C3AD61
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: AssocQueryStringString_base::_Xlenstd::_$Ios_base_dtorstd::ios_base::_
        • String ID: E_POINTER$ S_FALSE $AssocQueryStringW$http$open
        • API String ID: 3378744118-2736408121
        • Opcode ID: 06fa441d09984cc7714e269a7b97b11f9c01f4a0bb132ee2bde06cd28382f075
        • Instruction ID: 33cb4e3acb51926dc1d4503ef2d06957b83ce01b8f33ce1bd8f210f72e4d9b74
        • Opcode Fuzzy Hash: 06fa441d09984cc7714e269a7b97b11f9c01f4a0bb132ee2bde06cd28382f075
        • Instruction Fuzzy Hash: BC61D1B2D00258ABCF10EBE8DC81AEEF7B9BF54704F14452EF515A7282DB705A04DBA1
        Function 00C6F8B0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 353COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C6A5F0: RegOpenKeyExW.KERNEL32(?,?,00000000,00020119,?,0000000F,00000000,00CE2949,00000000,05A2C2A1,0000000F,00000000,00000010,00000000), ref: 00C6A650
          • Part of subcall function 00C3AE10: std::_String_base::_Xlen.LIBCPMT ref: 00C3AE5F
          • Part of subcall function 00C6A5F0: RegQueryValueExW.ADVAPI32 ref: 00C6A6D9
          • Part of subcall function 00C6A5F0: RegCloseKey.ADVAPI32(?), ref: 00C6A6E8
        • SHGetSpecialFolderPathW.SHELL32 ref: 00C6FC67
        • GetModuleFileNameExW.PSAPI(00000000,00000000,00000000,00000104,00000026,00000000,00000000,000000FF,?,?,?,?,?,?,00CE2949,000000FF), ref: 00C6FD85
        • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000104,00000026,00000000,00000000,000000FF,?,?,?,?,?,?,00CE2949), ref: 00C6FD8B
          • Part of subcall function 00C69BF0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C69C1F
          • Part of subcall function 00C69BF0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000000,00000000,00000000), ref: 00C69C3E
          • Part of subcall function 00C69670: GetFileAttributesW.KERNEL32(00000000,?,00000000,00000000,000000FF,?,?,?,00CE2949,00000000,05A2C2A1,0000000F,00000000,00000010,00000000), ref: 00C6969C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharCloseFileMultiWide$AttributesFolderHandleModuleNameOpenPathQuerySpecialString_base::_ValueXlenstd::_
        • String ID: SOFTWARE\$Software\
        • API String ID: 3206570634-1851597529
        • Opcode ID: a57489b89bdcded58a3aaf8eab84ee59ad6ce263211abc90d9d37ffb16f331be
        • Instruction ID: d75f066d13949fcea869f455bb593bec617b307f87b60d72b3d81ee14d1128c6
        • Opcode Fuzzy Hash: a57489b89bdcded58a3aaf8eab84ee59ad6ce263211abc90d9d37ffb16f331be
        • Instruction Fuzzy Hash: E1D194B1408380AAD730EB64D881F9BB7E9AF95700F404A2EB1D952282EB759509DB73
        Function 00C68E60 Relevance: 9.0, APIs: 6, Instructions: 37sleepCOMMON
        Download Yara Rule
        APIs
        • ShowWindow.USER32(00000000,00000005,?,?,00C56FDE,?,00000001,00C38BA4), ref: 00C68E70
        • SetForegroundWindow.USER32(00000000), ref: 00C68E77
        • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000003,?,?,00C56FDE,?,00000001,00C38BA4), ref: 00C68E90
        • Sleep.KERNEL32(00000064,?,?,00C56FDE,?,00000001,00C38BA4), ref: 00C68E94
        • SetWindowPos.USER32(00000000,000000FE,00000000,00000000,00000000,00000000,00000003,?,?,00C56FDE,?,00000001,00C38BA4), ref: 00C68EA7
        • ShowWindow.USER32(00000001,00000000,00C56FDE,?,00000001,00C38BA4), ref: 00C68EB3
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Window$Show$ForegroundSleep
        • String ID:
        • API String ID: 810539981-0
        • Opcode ID: 1371cd6916aa19c40d2f1c2dbdf1fd5d4790db9283693a5499a1f1f91897c262
        • Instruction ID: 1264345d7cb8be7d7b397a20576e2e0a302c696c04e331f8120016a76315ba59
        • Opcode Fuzzy Hash: 1371cd6916aa19c40d2f1c2dbdf1fd5d4790db9283693a5499a1f1f91897c262
        • Instruction Fuzzy Hash: 89F01C363857917AEA316754AC4EF4E3A5C9B86F21F354204F3107E1E086E466418A69
        Function 00C548A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,00000000,00000000,0000008C,00000068,0000089C,00000000,00C56085), ref: 00C68EFB
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00C68F32
        • FindResourceW.KERNEL32(00000000,?,ARCHIVE_7Z,?,00000000), ref: 00C548F4
        • SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00C54917
        • LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00C54925
        • LockResource.KERNEL32(00000000,?,00000000), ref: 00C54930
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Resource$ByteCharMultiWide$FindLoadLockSizeof
        • String ID: ARCHIVE_7Z
        • API String ID: 1289833662-1362570139
        • Opcode ID: b572142fb386c0bc51d382f1ebb89bb41bc90687f9df52aaf050217d112b3b4c
        • Instruction ID: e49f1b2ba8e95aff7abe644332e4e429d0cc6842e3aa8693160daa48afca41e6
        • Opcode Fuzzy Hash: b572142fb386c0bc51d382f1ebb89bb41bc90687f9df52aaf050217d112b3b4c
        • Instruction Fuzzy Hash: AD21A1B55043499FC214DF25EC86F1BB7ECEB84711F10492EF856D3200DA35E9488A76
        Function 00C5A380 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
        Download Yara Rule
        APIs
        • RtlEnterCriticalSection.NTDLL(00D06BB8), ref: 00C5A3E5
        • GetModuleFileNameW.KERNEL32(00C30000,?,00000104), ref: 00C5A454
        • LoadTypeLib.OLEAUT32(?,?), ref: 00C5A47B
        • LoadRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00C5A4A6
        • RtlLeaveCriticalSection.NTDLL(00D06BB8), ref: 00C5A5B1
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CriticalLoadSectionType$EnterFileLeaveModuleName
        • String ID:
        • API String ID: 2487232618-0
        • Opcode ID: 2cd0f416012c89fcce640a4da1eefb91d126ced5db0b72dd279170b2ea8c9ed3
        • Instruction ID: fa2db744fa8cd75d658a19244353381809182279c61a22c16a280f30241ab246
        • Opcode Fuzzy Hash: 2cd0f416012c89fcce640a4da1eefb91d126ced5db0b72dd279170b2ea8c9ed3
        • Instruction Fuzzy Hash: CA719C792047419FC720DF65D884E2AB7E5EF88301F108A2DE55ACB360D770E989CB66
        Function 00C51E60 Relevance: 7.6, APIs: 5, Instructions: 103windowsleepthreadCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C3AE10: std::_String_base::_Xlen.LIBCPMT ref: 00C3AE5F
        • GetCurrentThreadId.KERNEL32 ref: 00C51F0D
        • SendMessageW.USER32(00000000), ref: 00C51F2E
        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C51F44
        • Sleep.KERNEL32(00000064), ref: 00C51F52
        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C51F5E
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Message$Peek$CurrentSendSleepString_base::_ThreadXlenstd::_
        • String ID:
        • API String ID: 3621029273-0
        • Opcode ID: 100f1cdbed2d54f7af28aa19f7036bfbc16a846e3975bdaddcd20dd477203e29
        • Instruction ID: e158210066104353ed312b30f14b270009a3a96c59b246bb759f4ff85b260f43
        • Opcode Fuzzy Hash: 100f1cdbed2d54f7af28aa19f7036bfbc16a846e3975bdaddcd20dd477203e29
        • Instruction Fuzzy Hash: BA315FB1508344AFD320DF59CC80B6BBBE8FB89750F104A2EF6A587390DB719944CB62
        Function 00C51C50 Relevance: 7.6, APIs: 5, Instructions: 52windowsleepthreadCOMMON
        Download Yara Rule
        APIs
        • GetCurrentThreadId.KERNEL32 ref: 00C51C61
        • SendMessageW.USER32(00000000), ref: 00C51C95
        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C51CA4
        • Sleep.KERNEL32(00000064), ref: 00C51CB2
        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C51CC1
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Message$Peek$CurrentSendSleepThread
        • String ID:
        • API String ID: 3626649275-0
        • Opcode ID: 9063a6b4c7055d56e69c15f8d8e017020db937c9ec13d82d8b4b4670f093a93b
        • Instruction ID: b3e04a28b906e7d56a20a3129933b2a2e19b44ca685328c5323820739ce38926
        • Opcode Fuzzy Hash: 9063a6b4c7055d56e69c15f8d8e017020db937c9ec13d82d8b4b4670f093a93b
        • Instruction Fuzzy Hash: C90192352803056BE710DB61DCC5F9A77ACEB88B55F040519FF109E2C0D7B1EA498BA6
        Function 00C75CD0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 285COMMON
        Download Yara Rule
        APIs
        • GetCommandLineW.KERNEL32(?,05A2C2A1,0000000F,?,00000010,00000000), ref: 00C75D17
        • CommandLineToArgvW.SHELL32(00000000,?,00000010,00000000), ref: 00C75D1E
          • Part of subcall function 00C55DF0: GetLastError.KERNEL32(00000068,?,00C56B16,?), ref: 00C55DFA
        Strings
        • CommandLineToArgvW failed: , xrefs: 00C75D44
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CommandLine$ArgvErrorLast
        • String ID: CommandLineToArgvW failed:
        • API String ID: 2860833831-2462630033
        • Opcode ID: 549ecb55f22fc1531e07c06d6626969692fdf1e7a7eb7db3befd21426eccc9b7
        • Instruction ID: e363cd018c2f2afb0ddcf0efe3db29f3b4b110828f91ee5c99104e3b132ffed6
        • Opcode Fuzzy Hash: 549ecb55f22fc1531e07c06d6626969692fdf1e7a7eb7db3befd21426eccc9b7
        • Instruction Fuzzy Hash: 36C18AB55087809FD725EF24C485B9FB7E4AF99300F44891EF59E87241DB74AA04CBA3
        Function 00C6A5F0 Relevance: 6.1, APIs: 4, Instructions: 124registryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,00000000,00000000,0000008C,00000068,0000089C,00000000,00C56085), ref: 00C68EFB
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00C68F32
        • RegOpenKeyExW.KERNEL32(?,?,00000000,00020119,?,0000000F,00000000,00CE2949,00000000,05A2C2A1,0000000F,00000000,00000010,00000000), ref: 00C6A650
        • RegQueryValueExW.ADVAPI32 ref: 00C6A6D9
        • RegCloseKey.ADVAPI32(?), ref: 00C6A6E8
        • RegCloseKey.ADVAPI32(?), ref: 00C6A706
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharCloseMultiWide$OpenQueryValue
        • String ID:
        • API String ID: 3924453400-0
        • Opcode ID: d38cd195634b93da640dbbd1a5b99d03c5c512c6a863fceb10e9816a8a4ea1c5
        • Instruction ID: 1f2e4e752a0b00ab0428180cd86a651711ef453d828a83b244347ed6a72bad3b
        • Opcode Fuzzy Hash: d38cd195634b93da640dbbd1a5b99d03c5c512c6a863fceb10e9816a8a4ea1c5
        • Instruction Fuzzy Hash: 2C414EB1508341ABD320DF15D8C1A2BB7F8FB89714F444A2DF58593741D73AEA09DBA2
        Function 00C6F4B0 Relevance: 6.1, APIs: 4, Instructions: 107registryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,00000000,00000000,0000008C,00000068,0000089C,00000000,00C56085), ref: 00C68EFB
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00C68F32
        • RegOpenKeyExW.KERNEL32(?,?,00000000,00000008,?,0000000F,?,?,?,?,?,?,?,SOFTWARE\Clients\StartMenuInternet,00000022,05A2C2A1), ref: 00C6F521
        • RegEnumKeyW.ADVAPI32 ref: 00C6F562
        • RegCloseKey.KERNEL32(?), ref: 00C6F5B4
          • Part of subcall function 00C69BF0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C69C1F
          • Part of subcall function 00C69BF0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000000,00000000,00000000), ref: 00C69C3E
        • RegEnumKeyW.ADVAPI32(?,00000001,00000000,000003E8), ref: 00C6F5A9
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiWide$Enum$CloseOpen
        • String ID:
        • API String ID: 3469212518-0
        • Opcode ID: f00b0373e7ea79edd13751915751716af7be41122186e1c90e671a16a4e2765e
        • Instruction ID: 2e15f548d35b9cb99e5e1b5651b49b9f9b5f5db5f764cdab3d10fd56bced3d5d
        • Opcode Fuzzy Hash: f00b0373e7ea79edd13751915751716af7be41122186e1c90e671a16a4e2765e
        • Instruction Fuzzy Hash: ED316DB1A083819BD210DF25EC85F1BBBECAFD5710F00492EF54597380D774DA058B62
        Function 00C5DC50 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
        Download Yara Rule
        APIs
        • GetCurrentProcess.KERNEL32(00000000,0000000D), ref: 00C5DC86
        • FlushInstructionCache.KERNEL32(00000000), ref: 00C5DC8D
          • Part of subcall function 00CD5107: GetProcessHeap.KERNEL32(00000000,0000000D,?,00C510CE,?,00C505AB,00000000), ref: 00CD5088
          • Part of subcall function 00CD5107: RtlAllocateHeap.NTDLL(00000000,?,00C505AB), ref: 00CD508F
        • SetLastError.KERNEL32(0000000E), ref: 00C5DCA7
          • Part of subcall function 00C5DA80: RaiseException.KERNEL32(C0000005,00000001,?,?), ref: 00C5DA92
          • Part of subcall function 00C5DA80: GetCurrentThreadId.KERNEL32 ref: 00C5DAAC
          • Part of subcall function 00C5DA80: RtlEnterCriticalSection.NTDLL(?), ref: 00C5DAB9
          • Part of subcall function 00C5DA80: RtlLeaveCriticalSection.NTDLL(?), ref: 00C5DAC9
        • CreateWindowExW.USER32(?,?,?,?,?,00000000,000000E9,?,?,?,00C30000,?), ref: 00C5DD23
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CriticalCurrentHeapProcessSection$AllocateCacheCreateEnterErrorExceptionFlushInstructionLastLeaveRaiseThreadWindow
        • String ID:
        • API String ID: 2100251101-0
        • Opcode ID: 95d05d31e14e085b76a1303d88fb0ca1d5402c9a886bc5e38dc3aa51951aaaae
        • Instruction ID: e6fb36406c8c0c0217ba242266357d405a9422d78a7fe882880ce9dd58e8be4e
        • Opcode Fuzzy Hash: 95d05d31e14e085b76a1303d88fb0ca1d5402c9a886bc5e38dc3aa51951aaaae
        • Instruction Fuzzy Hash: DD216D726143509FD3209F68DC48F6BB7ECEBC9720F05854AB9469B250C670ED44CBB5
        Function 00C619B0 Relevance: 6.1, APIs: 4, Instructions: 64windowCOMMON
        Download Yara Rule
        APIs
        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00C619CD
        • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 00C619EF
        • TranslateMessage.USER32(?), ref: 00C61A0C
        • DispatchMessageW.USER32(?), ref: 00C61A13
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Message$CallbackDispatchDispatcherPeekTranslateUser
        • String ID:
        • API String ID: 1533324876-0
        • Opcode ID: 00028aa27c3b6290d597562f9d228322da9a6a0012e48bc32c8c7467056f3f86
        • Instruction ID: 96a7ff036faa171029b863997a3fe0fefd5c2433dce7d7301343a042a0788cda
        • Opcode Fuzzy Hash: 00028aa27c3b6290d597562f9d228322da9a6a0012e48bc32c8c7467056f3f86
        • Instruction Fuzzy Hash: E211A1353412445BE3305AA9DCE9B7F72ECEF85B42F2C0119FAA1EA2D0D790ED029651
        Function 00C726E0 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
        Download Yara Rule
        APIs
        • OpenProcess.KERNEL32(00000410,00000000,00000104,?,00000010,00C75B50,00000000,?,00000104), ref: 00C726EF
        • GetProcessImageFileNameW.PSAPI(00000000,00C75B50,00000010,?,00000010,00C75B50,00000000,?,00000104), ref: 00C72706
        • GetLastError.KERNEL32(00000000,00C75B50,00000010,?,00000010,00C75B50,00000000,?,00000104), ref: 00C7270F
        • CloseHandle.KERNEL32(00000000,00000000,00C75B50,00000010,?,00000010,00C75B50,00000000,?,00000104), ref: 00C72718
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Process$CloseErrorFileHandleImageLastNameOpen
        • String ID:
        • API String ID: 1297415806-0
        • Opcode ID: ee6ae3421cef5b4b22c85672f3a4d2556d9aee4d847e889455b56682fa1051ce
        • Instruction ID: 923981a12a09c8cc9f8bf4ed5404c23a16a68c42d4361c0bb827fd23de6270b6
        • Opcode Fuzzy Hash: ee6ae3421cef5b4b22c85672f3a4d2556d9aee4d847e889455b56682fa1051ce
        • Instruction Fuzzy Hash: 93E06D3A205151AB92159B16ED48F6FB7ADEBC5752B05802AFA0486200DA308D019AB2
        Function 00C6E3E0 Relevance: 4.6, APIs: 3, Instructions: 109fileCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C69BF0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C69C1F
          • Part of subcall function 00C69BF0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000000,00000000,00000000), ref: 00C69C3E
        • CreateFileW.KERNEL32(?,40000000,00000007,00000000,00000002,00000080,00000000), ref: 00C6E4A6
        • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00C6E4D9
        • CloseHandle.KERNEL32(00000000), ref: 00C6E4F0
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharFileMultiWide$CloseCreateHandleWrite
        • String ID:
        • API String ID: 411705059-0
        • Opcode ID: fc3ed0344bac13356d513f3b2657c6629854c807958b8abe8c88c8d3e520b6a6
        • Instruction ID: eeb2d8c8728b95d0691524ba66076b40b6beb206529bd3a64a0fab53708afc11
        • Opcode Fuzzy Hash: fc3ed0344bac13356d513f3b2657c6629854c807958b8abe8c88c8d3e520b6a6
        • Instruction Fuzzy Hash: 17312775508340ABD620DB74EC85F6BB7A8FB85714F400A1EF266972D1EB70DA04CB63
        Function 00C597E0 Relevance: 4.6, APIs: 3, Instructions: 101COMMON
        Download Yara Rule
        APIs
        • VariantInit.OLEAUT32 ref: 00C5989D
        • DispCallFunc.OLEAUT32(?,00000000,?,?,?,?,?,?), ref: 00C598CA
        • VariantClear.OLEAUT32(?), ref: 00C598D7
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Variant$CallClearDispFuncInit
        • String ID:
        • API String ID: 47416843-0
        • Opcode ID: 40ba103a6bb764a6dcd7bfb8c05fc22f1a69f0be3c5e5905c0d1dbdf91d3de5b
        • Instruction ID: 1d6ce19b108c5ed3c5636bf47de5cd871194545f57af6cf8596eb2c2366a5caf
        • Opcode Fuzzy Hash: 40ba103a6bb764a6dcd7bfb8c05fc22f1a69f0be3c5e5905c0d1dbdf91d3de5b
        • Instruction Fuzzy Hash: 2D318C769043159BC710CF18D880A6AF7E9FBC5701F048A2EF9558B340D330E989CBA6
        Function 00C66AC0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 101sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNEL32(00000064,05A2C2A1,?,?,?), ref: 00C66B1F
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Sleep
        • String ID: ms$disconnected by timeout
        • API String ID: 3472027048-1600369010
        • Opcode ID: 016504b94b3d46dac2002e0b0d7e8c4cbfdd71e13d9e9e113d2b465192025311
        • Instruction ID: 611a01dd3cb891e17f7f0677dc44c59f5d8ca1b263012d6235fb7d44c06d7600
        • Opcode Fuzzy Hash: 016504b94b3d46dac2002e0b0d7e8c4cbfdd71e13d9e9e113d2b465192025311
        • Instruction Fuzzy Hash: 6C31E772108B40EFD735DB24C881B9BB7E8FB85714F000A2DE1E6832D1DB79A908D762
        Function 00C69360 Relevance: 4.6, APIs: 3, Instructions: 87registryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,00000000,00000000,0000008C,00000068,0000089C,00000000,00C56085), ref: 00C68EFB
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00C68F32
        • RegCreateKeyExW.KERNEL32(?,?,00000000,00000000,00000000,00000002,00000000,?,?,0000000F,00000010,00000000,?,00000000,00000000), ref: 00C6939B
        • RegSetValueExW.KERNEL32(?,?,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00C693FF
        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 00C6940F
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiWide$CloseCreateValue
        • String ID:
        • API String ID: 2853857722-0
        • Opcode ID: a1a8c0c3c702e8eee88021eafaa797001c50da98c7b28230b1e9ab7c02987eb8
        • Instruction ID: 382eb5e84b458eab48b5f2a46c97d9fc9dfa4a95bf1d04a05fc69f0631c5edba
        • Opcode Fuzzy Hash: a1a8c0c3c702e8eee88021eafaa797001c50da98c7b28230b1e9ab7c02987eb8
        • Instruction Fuzzy Hash: F821A1B64043046BC210EF15DC81DAFBBECEBD5354F48490DF94493211DA36EA099BA2
        Function 00C5D190 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 428COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: AXWIN
        • API String ID: 0-1948516679
        • Opcode ID: 998031436cf9244b1fdcae3a37f5bb580fed16fb967594eda39791aa6c92dc0f
        • Instruction ID: 9067c97a8a73d79cb877d8b8c299db437d423e0dbc426e426dcf576e6270709d
        • Opcode Fuzzy Hash: 998031436cf9244b1fdcae3a37f5bb580fed16fb967594eda39791aa6c92dc0f
        • Instruction Fuzzy Hash: 2AF1F578204B05AFD720DF69C880F2BB7E9AF89304F20495CE95A8B3A1DB70ED45CB51
        Function 00C505E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117COMMON
        Download Yara Rule
        APIs
        • CallWindowProcW.USER32(?,?,?,?,?), ref: 00C513CF
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CallProcWindow
        • String ID: $
        • API String ID: 2714655100-3993045852
        • Opcode ID: 0dd9b2eaa0f3977cbf80d933af2edb7d02a4f061cf857f72fbae66a0f76a5754
        • Instruction ID: 051b4cbdf600796ce5ddb2739268de54a35366b3d944177eae26ffa091188279
        • Opcode Fuzzy Hash: 0dd9b2eaa0f3977cbf80d933af2edb7d02a4f061cf857f72fbae66a0f76a5754
        • Instruction Fuzzy Hash: 8B4138B5508700AFC324CF19D884A2BFBF8FB88714F549A1DF9AA83650D731E9448F55
        Function 00C6A170 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
        Download Yara Rule
        APIs
        • SHGetSpecialFolderPathW.SHELL32 ref: 00C6A201
          • Part of subcall function 00CD614D: __onexit.MSVCRT ref: 00CD6155
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: FolderPathSpecial__onexit
        • String ID: C:\Users\user
        • API String ID: 1587657709-2179397983
        • Opcode ID: ec4038573dab27fb43a8fdc44f657b41a450715b79d40000b2c0eb4bf29011d5
        • Instruction ID: a58997020d0f2e5e06b834dd27f0b8ef22a0bc3f5bc3215e3eeb1d2753e5e838
        • Opcode Fuzzy Hash: ec4038573dab27fb43a8fdc44f657b41a450715b79d40000b2c0eb4bf29011d5
        • Instruction Fuzzy Hash: 112157B09483509BE320DF20EC86B0B3FD4EB04B14F040529F599A63D1DBBAD5148BA7
        Function 00C60A00 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
        Download Yara Rule
        APIs
        • CreateWindowExW.USER32(?,AtlAxWinLic90,?,?,?,?,?,?,?,?,00C30000,?), ref: 00C60A4E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CreateWindow
        • String ID: AtlAxWinLic90
        • API String ID: 716092398-3795641830
        • Opcode ID: 916e4069003a19a2496512822de7cf21135e71e9e564754494afd66045fdd0f9
        • Instruction ID: 845679f7bd05939af213de94e70409635edfbf54bb4081900d957ab05fd4d39e
        • Opcode Fuzzy Hash: 916e4069003a19a2496512822de7cf21135e71e9e564754494afd66045fdd0f9
        • Instruction Fuzzy Hash: 71F0E772204201AF9344CB99DD48D5BF7FEEFE9B20B19855EB548E7225D6B0EC01CBA1
        Function 00C52040 Relevance: 3.2, APIs: 2, Instructions: 171threadwindowCOMMON
        Download Yara Rule
        APIs
        • PostThreadMessageW.USER32(?,00000004,?,00000000), ref: 00C5218E
        • PostThreadMessageW.USER32(00000000,00000005,?,00000000), ref: 00C521C3
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: MessagePostThread
        • String ID:
        • API String ID: 1836367815-0
        • Opcode ID: 265a62cddcd8613da440de7909e1e23dcf7642c6da90cbaa26e1eb8fe10a0e8b
        • Instruction ID: 5dc3c54cdc27e46231268c941ca58ab60779e11781022b41b2f8517943a1845a
        • Opcode Fuzzy Hash: 265a62cddcd8613da440de7909e1e23dcf7642c6da90cbaa26e1eb8fe10a0e8b
        • Instruction Fuzzy Hash: 4E5170BA204A409FC318EF28D891F5BB3E5FF99714F10462DE14A877A0EB31B945CB95
        Function 00C573E0 Relevance: 3.2, APIs: 2, Instructions: 171COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 8e14c4857ce3d339dbe0d008ac5fccd0eb2ace113b3047ffbc467d3d9d21a492
        • Instruction ID: 0c00333846bcd28eddcb5e771e75c22a48057be1f07c736568e0db83fc29b101
        • Opcode Fuzzy Hash: 8e14c4857ce3d339dbe0d008ac5fccd0eb2ace113b3047ffbc467d3d9d21a492
        • Instruction Fuzzy Hash: 0F51B3781087519FC720DF18DC84B7A7BE8EB48701F808A2EFD9586250E774DDC98B6A
        Function 00C74CB0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 116sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNEL32(00000064), ref: 00C74D49
          • Part of subcall function 00C6C650: GetTempPathW.KERNEL32(00000104,?,05A2C2A1,?,?), ref: 00C6C6D8
          • Part of subcall function 00C53560: TerminateThread.KERNEL32(0000000F,00000002,0000000F,00000000,00C74E26), ref: 00C5357A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: PathSleepTempTerminateThread
        • String ID: Unpacking resource
        • API String ID: 4147224453-2729382032
        • Opcode ID: 244fba4c59f45de42edeac98790499b35785dc318de48c64fed49937764d6572
        • Instruction ID: 28916903e2df7758c32a7322e18c86351b9c680c030d794dcef7bc2cca7be48d
        • Opcode Fuzzy Hash: 244fba4c59f45de42edeac98790499b35785dc318de48c64fed49937764d6572
        • Instruction Fuzzy Hash: CD41A1B54083809FD334EB24D841BAFB7E8AB95310F048D2DF59957281EB359548DBA3
        Function 00C3AD10 Relevance: 3.1, APIs: 2, Instructions: 104COMMON
        Download Yara Rule
        APIs
        • std::_String_base::_Xlen.LIBCPMT ref: 00C3AD4A
        • std::_String_base::_Xlen.LIBCPMT ref: 00C3AD61
          • Part of subcall function 00CD5A98: __EH_prolog3.LIBCMT ref: 00CD5A9F
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: String_base::_Xlenstd::_$H_prolog3
        • String ID:
        • API String ID: 1152720618-0
        • Opcode ID: f3544e633cde66cd7c6b78c365f430316785f6106b58a1741290f541f16da870
        • Instruction ID: f8f4516beb8a0d73de5c1f8d58e681eeee45c87bd3ca5ae315c1d03f5042c918
        • Opcode Fuzzy Hash: f3544e633cde66cd7c6b78c365f430316785f6106b58a1741290f541f16da870
        • Instruction Fuzzy Hash: E3310432310A008FC720DE5CD980A6AF3E5DF91722F504A2EE5A2C7B51D771ED6187A2
        Function 00C5A2A0 Relevance: 3.1, APIs: 2, Instructions: 75COMMON
        Download Yara Rule
        APIs
        • VariantInit.OLEAUT32(?), ref: 00C5A2D7
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,00000000,00000000,0000008C,00000068,0000089C,00000000,00C56085), ref: 00C68EFB
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00C68F32
        • VariantClear.OLEAUT32(?), ref: 00C5A35B
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiVariantWide$ClearInit
        • String ID:
        • API String ID: 3205066715-0
        • Opcode ID: 39970afdd30e1190365de1503093e42e48d47befa12a308ed2cffaecd19f6aee
        • Instruction ID: b85b951f3d1cf9ec86577c24c6cf534201edf9c4b315d69a0afa0ba42854e88f
        • Opcode Fuzzy Hash: 39970afdd30e1190365de1503093e42e48d47befa12a308ed2cffaecd19f6aee
        • Instruction Fuzzy Hash: 212128B55047009FC210DF5AD884A1BB7E9EFC8710F148A1EF559C7260E735E949CB62
        Function 00C37040 Relevance: 2.7, APIs: 2, Instructions: 164sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNEL32(00000064,?,?,?,?,?,00000000,?,?,?,00000000,?,00C38C5B,00000000,?,00000001), ref: 00C3710E
        • Sleep.KERNEL32(00000064,?,?,?,?,?,00000000,?,?,?,00000000,?,00C38C5B,00000000,?,00000001), ref: 00C37183
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Sleep
        • String ID:
        • API String ID: 3472027048-0
        • Opcode ID: 7a54761affbbd53407764b600e98f41d6443b7617b274364d9f896160e3c01f0
        • Instruction ID: e41cffd2e92613bb5e337f0c0e0a40b27f00a4b761230ac1601d43ffa2b492bb
        • Opcode Fuzzy Hash: 7a54761affbbd53407764b600e98f41d6443b7617b274364d9f896160e3c01f0
        • Instruction Fuzzy Hash: 564112723546106BDA34BB798C82F2FB39AAF95700F204609F219DB3E1DE64DD0197E5
        Function 00C3B030 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
        Download Yara Rule
        APIs
        • std::_String_base::_Xlen.LIBCPMT ref: 00C3B08C
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: String_base::_Xlenstd::_
        • String ID:
        • API String ID: 1541887531-0
        • Opcode ID: 0672383fc62bee0c354efbb29f6a059a33eeb1e4e76b2528704f294be6db7bb7
        • Instruction ID: 3e26f12ebedc84f0da4e3242d780eda9eead018cba4bbec5c475815467096ad2
        • Opcode Fuzzy Hash: 0672383fc62bee0c354efbb29f6a059a33eeb1e4e76b2528704f294be6db7bb7
        • Instruction Fuzzy Hash: 33213A723246048FD72CDA5DD58092FF3AADBD2710F10091FE2B68B791D772AD4587A1
        Function 00C3AE10 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00CD5A98: __EH_prolog3.LIBCMT ref: 00CD5A9F
        • std::_String_base::_Xlen.LIBCPMT ref: 00C3AE5F
          • Part of subcall function 00CD5A60: __EH_prolog3.LIBCMT ref: 00CD5A67
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: H_prolog3$String_base::_Xlenstd::_
        • String ID:
        • API String ID: 2993611205-0
        • Opcode ID: 62cd8fedf012e8f99b58340d5fd28f23d59ee4b68b44901435319a9bbd2f5edd
        • Instruction ID: eec9cb6a69c52c6f9476c6a698b303842adee34951c0ca7666e760699e535312
        • Opcode Fuzzy Hash: 62cd8fedf012e8f99b58340d5fd28f23d59ee4b68b44901435319a9bbd2f5edd
        • Instruction Fuzzy Hash: B621E4323106148BC714EE4DD884A2BF3A9DBE2761F10495EE5928B391D772EC7187E2
        Function 00C52230 Relevance: 1.6, APIs: 1, Instructions: 80windowCOMMON
        Download Yara Rule
        APIs
        • SendMessageW.USER32(00000000), ref: 00C522ED
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: MessageSend
        • String ID:
        • API String ID: 3850602802-0
        • Opcode ID: 451b83c23cc38f974dcd58273fe9519dc31797addcf80b27b3589e42e3930712
        • Instruction ID: 19af33cafa8fd4692d2448c921a3c82a158906cb836b4a3957973ec5e292add0
        • Opcode Fuzzy Hash: 451b83c23cc38f974dcd58273fe9519dc31797addcf80b27b3589e42e3930712
        • Instruction Fuzzy Hash: 5E216DB6604611AFC310DF14D880E1BB7E9EB89B60F10061EF95197390C730ED05CBA2
        Function 00C6A9B0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
        Download Yara Rule
        APIs
        • SHGetSpecialFolderPathW.SHELL32 ref: 00C6AA41
          • Part of subcall function 00CD614D: __onexit.MSVCRT ref: 00CD6155
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: FolderPathSpecial__onexit
        • String ID:
        • API String ID: 1587657709-0
        • Opcode ID: 8313d259b235152503d0b53e2cdef59bceac6de9e1016ee5094c6a09bab6be88
        • Instruction ID: 47351e2d890f55adacf15c443092b2e4f14ece6f0c3e8494f51c427b7ce118c6
        • Opcode Fuzzy Hash: 8313d259b235152503d0b53e2cdef59bceac6de9e1016ee5094c6a09bab6be88
        • Instruction Fuzzy Hash: D5210EB09483409BE7249F209D46B4B7FD4EB40718F00062AF599AA3C2DBB9C524CFA3
        Function 00C33B30 Relevance: 1.5, APIs: 1, Instructions: 46fileCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: FileWrite
        • String ID:
        • API String ID: 3934441357-0
        • Opcode ID: 623e04b4f394e8e55a4b30bcf63b8c6e390114a05db50981e7e8abc5ab96b017
        • Instruction ID: df4f345a2ad7565b6abd45503cb167deea48a8c7a24cbff54fc8d318b5d790fd
        • Opcode Fuzzy Hash: 623e04b4f394e8e55a4b30bcf63b8c6e390114a05db50981e7e8abc5ab96b017
        • Instruction Fuzzy Hash: B4014B766193519BE7148E09EC84B6BF3A8FB84B25F04412AED54A7240D7749E048AA2
        Function 00C67770 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
        Download Yara Rule
        APIs
        • CreateThread.KERNEL32(00000000,00000000,00C66C20,?,00000000,?), ref: 00C677B2
          • Part of subcall function 00C69670: GetFileAttributesW.KERNEL32(00000000,?,00000000,00000000,000000FF,?,?,?,00CE2949,00000000,05A2C2A1,0000000F,00000000,00000010,00000000), ref: 00C6969C
          • Part of subcall function 00C69C90: GetFileAttributesW.KERNEL32(?,00000010,00000000), ref: 00C69D7F
          • Part of subcall function 00C69C90: DeleteFileW.KERNEL32(?), ref: 00C69D8B
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: File$Attributes$CreateDeleteThread
        • String ID:
        • API String ID: 1886009219-0
        • Opcode ID: 029dad6bf1e9b1e1bc46c98d6c70ceeb7ff29bc6104138c95d30b8d29e3cfe3e
        • Instruction ID: 6a1ec075767d07a05acd46770dd4fc1cab6a495863c76b809c19b765f6606b54
        • Opcode Fuzzy Hash: 029dad6bf1e9b1e1bc46c98d6c70ceeb7ff29bc6104138c95d30b8d29e3cfe3e
        • Instruction Fuzzy Hash: 58F02471105300BBE23257209D89FEB76E8EB00B09F000A2DF55A591C1E7B16544C391
        Function 00C38FA0 Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON
        Download Yara Rule
        APIs
        • CreateThread.KERNEL32(00000000,00000000,Function_00008B00,00000000), ref: 00C38FDD
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CreateThread
        • String ID:
        • API String ID: 2422867632-0
        • Opcode ID: da4dab6ca8050f27424e1e9cbb59deabee9c4aa7edea2f290d8438c26bf25577
        • Instruction ID: e4b2d94c673e2ea77ba63f4824d3faa304ff63066a3f4763a9e63dea8e812726
        • Opcode Fuzzy Hash: da4dab6ca8050f27424e1e9cbb59deabee9c4aa7edea2f290d8438c26bf25577
        • Instruction Fuzzy Hash: 13F0A7F16153229BE3209F989C01B43BFD8EB08B21F10412EF55AD7390E7B4D804C7A5
        Function 00C51D70 Relevance: 1.5, APIs: 1, Instructions: 33windowCOMMON
        Download Yara Rule
        APIs
        • SendMessageW.USER32(00000000), ref: 00C51DC2
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: MessageSend
        • String ID:
        • API String ID: 3850602802-0
        • Opcode ID: f5db386ed7822a34f973a4018b504d09d16311ea2d1227eb03926804481dd860
        • Instruction ID: a846d7757f7573c930b6000e0283506573b8be8d077f9a1ce14109ec3f708b62
        • Opcode Fuzzy Hash: f5db386ed7822a34f973a4018b504d09d16311ea2d1227eb03926804481dd860
        • Instruction Fuzzy Hash: E7F08271200210AFE3209B65CC49F577BA4DB81761F154565FA118F2E2CBB5D945CBE1
        Function 00C547F0 Relevance: 1.5, APIs: 1, Instructions: 27threadCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C3AE10: std::_String_base::_Xlen.LIBCPMT ref: 00C3AE5F
        • CreateThread.KERNEL32(00000000,00000000,00C53650,?,00000000,0000000F), ref: 00C54831
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CreateString_base::_ThreadXlenstd::_
        • String ID:
        • API String ID: 1129344639-0
        • Opcode ID: bc5cc75c53f85190656c2ebdde2054da053f93bd1246d86efd18c5cc09b34b11
        • Instruction ID: 9868e776b1d0804bb93f502e549ceb91adea9eb375e674ea2637f5fe4832ace5
        • Opcode Fuzzy Hash: bc5cc75c53f85190656c2ebdde2054da053f93bd1246d86efd18c5cc09b34b11
        • Instruction Fuzzy Hash: D2F03935148320BBE324DB54CC46F97BBA4AB44B30F104B0DB2EA1A2D0DBB0B854C7A6
        Function 00C69670 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,00000000,00000000,0000008C,00000068,0000089C,00000000,00C56085), ref: 00C68EFB
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00C68F32
        • GetFileAttributesW.KERNEL32(00000000,?,00000000,00000000,000000FF,?,?,?,00CE2949,00000000,05A2C2A1,0000000F,00000000,00000010,00000000), ref: 00C6969C
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiWide$AttributesFile
        • String ID:
        • API String ID: 364578359-0
        • Opcode ID: 1664a63d56429ebc2cc0b8749cd57e0d7e69e186fe682bcac14ca093e4e25889
        • Instruction ID: 6573da744c2b4efb635f76a0ca51d2aa4ee7ae60a263f0bfd08f1167865644da
        • Opcode Fuzzy Hash: 1664a63d56429ebc2cc0b8749cd57e0d7e69e186fe682bcac14ca093e4e25889
        • Instruction Fuzzy Hash: 73E092B64152216BC200AF14FC41B8F779CAF41321F480619FC6896240E7399B1C97F7
        Function 00C57011 Relevance: 1.5, APIs: 1, Instructions: 16windowCOMMON
        Download Yara Rule
        APIs
        • IsDialogMessageW.USER32(?,?), ref: 00C57029
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: DialogMessage
        • String ID:
        • API String ID: 547518314-0
        • Opcode ID: 64afbe6f4cadcb033ce42d61cb1a42bb43433913883a74ab5f676c2b5aaa698e
        • Instruction ID: 3101f0660727257f8cef875d5455b13f4d95444adf7e4060fc3e54149c92c387
        • Opcode Fuzzy Hash: 64afbe6f4cadcb033ce42d61cb1a42bb43433913883a74ab5f676c2b5aaa698e
        • Instruction Fuzzy Hash: F1C08CB58002849FD758CB00E8A4FEAB3A8EF54704F004D1CB540C3D09C2399C9ACB10
        Function 00C33A40 Relevance: 1.5, APIs: 1, Instructions: 16fileCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,00C53D29,?,?), ref: 00C33A57
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CreateFile
        • String ID:
        • API String ID: 823142352-0
        • Opcode ID: aa5e177eff31e2ffd33a002608df8b7c25b2d497cecc19432a5de507c41a5e58
        • Instruction ID: e462a0a06ca52ef759e6762d44baeb66ad7133175b3530c36152e94981f82c4a
        • Opcode Fuzzy Hash: aa5e177eff31e2ffd33a002608df8b7c25b2d497cecc19432a5de507c41a5e58
        • Instruction Fuzzy Hash: 5BD0C774354340BBE6304B74DC8AF0D77E46749B15F208A54F795EE1E0D7B1AD419A04
        Function 00C33A80 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
        Download Yara Rule
        APIs
        • FindCloseChangeNotification.KERNEL32(00000000,?,00C542F9,?), ref: 00C33A8D
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ChangeCloseFindNotification
        • String ID:
        • API String ID: 2591292051-0
        • Opcode ID: 3db96d5e4a4cd65e1275477f96f9e0aca6005334157efcbbe3bbb8bfd872df70
        • Instruction ID: 282eba6c83fc3d2c1e4936feb639add78c80f78e5c271ec4ab62c3c53ffb59a9
        • Opcode Fuzzy Hash: 3db96d5e4a4cd65e1275477f96f9e0aca6005334157efcbbe3bbb8bfd872df70
        • Instruction Fuzzy Hash: 84D09E352142518B96109F68A844A49B7989A153747100B55E4F4D72E0D3309E815A40
        Function 0A522351 Relevance: .7, Instructions: 711COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701785583.000000000A520000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A520000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: caf37a03846223634d14a03e65f443f560f9490eb308cc3bdda2f31e0e255824
        • Instruction ID: 8e3f60bf4aa6c2dc9eefa4562ddcf97c5efe2be0ea5955908b0d553560f58d4d
        • Opcode Fuzzy Hash: caf37a03846223634d14a03e65f443f560f9490eb308cc3bdda2f31e0e255824
        • Instruction Fuzzy Hash: 8C528139A04220EFEB64CF84C980AADB3A1BF5A710F168459E9457F395C775EC42CFA1
        Function 0A5244B6 Relevance: .1, Instructions: 126COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701804042.000000000A524000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A524000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 3de95131aea30030c41c9aeb2acda863f4a3bb03854f22f7b21ffd25b60541fe
        • Instruction ID: 67cf377bcb4911e880e5a86b64cb5c039ab5f038e52405181b663fdaa2606e69
        • Opcode Fuzzy Hash: 3de95131aea30030c41c9aeb2acda863f4a3bb03854f22f7b21ffd25b60541fe
        • Instruction Fuzzy Hash: 2C41D074B00210AFEB54CF14D990E6AB3B5FF8A315F564698E85AAF392C730EC41CB91
        Function 0A460E57 Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701590643.000000000A460000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A460000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction ID: 95a1ac4c2eb5ccf8019cd998fab7787d13e54ebdf215613691b3d0c68a397607
        • Opcode Fuzzy Hash: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction Fuzzy Hash:
        Function 0A460E5F Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701590643.000000000A460000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A460000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction ID: 95a1ac4c2eb5ccf8019cd998fab7787d13e54ebdf215613691b3d0c68a397607
        • Opcode Fuzzy Hash: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction Fuzzy Hash:
        Function 0A460E3F Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701590643.000000000A460000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A460000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction ID: 95a1ac4c2eb5ccf8019cd998fab7787d13e54ebdf215613691b3d0c68a397607
        • Opcode Fuzzy Hash: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction Fuzzy Hash:
        Function 0A460EF7 Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701590643.000000000A460000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A460000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction ID: 95a1ac4c2eb5ccf8019cd998fab7787d13e54ebdf215613691b3d0c68a397607
        • Opcode Fuzzy Hash: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction Fuzzy Hash:
        Function 0A460EFF Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701590643.000000000A460000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A460000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction ID: 95a1ac4c2eb5ccf8019cd998fab7787d13e54ebdf215613691b3d0c68a397607
        • Opcode Fuzzy Hash: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction Fuzzy Hash:
        Function 0A460F57 Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701590643.000000000A460000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A460000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction ID: 95a1ac4c2eb5ccf8019cd998fab7787d13e54ebdf215613691b3d0c68a397607
        • Opcode Fuzzy Hash: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction Fuzzy Hash:
        Function 0A460F27 Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701590643.000000000A460000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A460000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction ID: 95a1ac4c2eb5ccf8019cd998fab7787d13e54ebdf215613691b3d0c68a397607
        • Opcode Fuzzy Hash: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction Fuzzy Hash:
        Function 0A460F3F Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701590643.000000000A460000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A460000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction ID: 95a1ac4c2eb5ccf8019cd998fab7787d13e54ebdf215613691b3d0c68a397607
        • Opcode Fuzzy Hash: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction Fuzzy Hash:
        Function 0A460FC7 Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701590643.000000000A460000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A460000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction ID: 95a1ac4c2eb5ccf8019cd998fab7787d13e54ebdf215613691b3d0c68a397607
        • Opcode Fuzzy Hash: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction Fuzzy Hash:
        Function 0A460BCF Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701590643.000000000A460000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A460000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction ID: 95a1ac4c2eb5ccf8019cd998fab7787d13e54ebdf215613691b3d0c68a397607
        • Opcode Fuzzy Hash: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction Fuzzy Hash:
        Function 0A460FCF Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701590643.000000000A460000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A460000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction ID: 95a1ac4c2eb5ccf8019cd998fab7787d13e54ebdf215613691b3d0c68a397607
        • Opcode Fuzzy Hash: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction Fuzzy Hash:
        Function 0A460BD7 Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701590643.000000000A460000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A460000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction ID: 95a1ac4c2eb5ccf8019cd998fab7787d13e54ebdf215613691b3d0c68a397607
        • Opcode Fuzzy Hash: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction Fuzzy Hash:
        Function 0A460FD7 Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701590643.000000000A460000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A460000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction ID: 95a1ac4c2eb5ccf8019cd998fab7787d13e54ebdf215613691b3d0c68a397607
        • Opcode Fuzzy Hash: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction Fuzzy Hash:
        Function 0A460FDF Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701590643.000000000A460000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A460000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction ID: 95a1ac4c2eb5ccf8019cd998fab7787d13e54ebdf215613691b3d0c68a397607
        • Opcode Fuzzy Hash: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction Fuzzy Hash:
        Function 0A460BDF Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701590643.000000000A460000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A460000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction ID: 95a1ac4c2eb5ccf8019cd998fab7787d13e54ebdf215613691b3d0c68a397607
        • Opcode Fuzzy Hash: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction Fuzzy Hash:
        Function 0A460BE7 Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701590643.000000000A460000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A460000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction ID: 95a1ac4c2eb5ccf8019cd998fab7787d13e54ebdf215613691b3d0c68a397607
        • Opcode Fuzzy Hash: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction Fuzzy Hash:
        Function 0A460FE7 Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701590643.000000000A460000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A460000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction ID: 95a1ac4c2eb5ccf8019cd998fab7787d13e54ebdf215613691b3d0c68a397607
        • Opcode Fuzzy Hash: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction Fuzzy Hash:
        Function 0A460F8F Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701590643.000000000A460000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A460000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction ID: 95a1ac4c2eb5ccf8019cd998fab7787d13e54ebdf215613691b3d0c68a397607
        • Opcode Fuzzy Hash: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction Fuzzy Hash:
        Function 0A460F97 Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701590643.000000000A460000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A460000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction ID: 95a1ac4c2eb5ccf8019cd998fab7787d13e54ebdf215613691b3d0c68a397607
        • Opcode Fuzzy Hash: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction Fuzzy Hash:
        Function 0A460F9F Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701590643.000000000A460000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A460000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction ID: 95a1ac4c2eb5ccf8019cd998fab7787d13e54ebdf215613691b3d0c68a397607
        • Opcode Fuzzy Hash: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction Fuzzy Hash:
        Function 0A460CDF Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701590643.000000000A460000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A460000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction ID: 95a1ac4c2eb5ccf8019cd998fab7787d13e54ebdf215613691b3d0c68a397607
        • Opcode Fuzzy Hash: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction Fuzzy Hash:
        Function 0A460D47 Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701590643.000000000A460000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A460000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction ID: 95a1ac4c2eb5ccf8019cd998fab7787d13e54ebdf215613691b3d0c68a397607
        • Opcode Fuzzy Hash: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction Fuzzy Hash:
        Function 0A460D4F Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701590643.000000000A460000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A460000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction ID: 95a1ac4c2eb5ccf8019cd998fab7787d13e54ebdf215613691b3d0c68a397607
        • Opcode Fuzzy Hash: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction Fuzzy Hash:
        Function 0A460D57 Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701590643.000000000A460000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A460000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction ID: 95a1ac4c2eb5ccf8019cd998fab7787d13e54ebdf215613691b3d0c68a397607
        • Opcode Fuzzy Hash: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction Fuzzy Hash:
        Function 0A460D77 Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701590643.000000000A460000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A460000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction ID: 95a1ac4c2eb5ccf8019cd998fab7787d13e54ebdf215613691b3d0c68a397607
        • Opcode Fuzzy Hash: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction Fuzzy Hash:
        Function 0A460D0F Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701590643.000000000A460000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A460000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction ID: 95a1ac4c2eb5ccf8019cd998fab7787d13e54ebdf215613691b3d0c68a397607
        • Opcode Fuzzy Hash: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction Fuzzy Hash:
        Function 0A460D17 Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701590643.000000000A460000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A460000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction ID: 95a1ac4c2eb5ccf8019cd998fab7787d13e54ebdf215613691b3d0c68a397607
        • Opcode Fuzzy Hash: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction Fuzzy Hash:
        Function 0A460D1F Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701590643.000000000A460000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A460000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction ID: 95a1ac4c2eb5ccf8019cd998fab7787d13e54ebdf215613691b3d0c68a397607
        • Opcode Fuzzy Hash: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction Fuzzy Hash:
        Function 0A460DFF Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3701590643.000000000A460000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A460000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction ID: 95a1ac4c2eb5ccf8019cd998fab7787d13e54ebdf215613691b3d0c68a397607
        • Opcode Fuzzy Hash: 7b333f687286b97656cb0952646b65401b95e7ac8f32d0529e598bc63f021bcd
        • Instruction Fuzzy Hash:

        Non-executed Functions

        Function 00CCC890 Relevance: 157.8, APIs: 4, Strings: 86, Instructions: 299COMMON
        Download Yara Rule
        APIs
        • GetLastError.KERNEL32(AcquireCredentialsHandle,?,00000000), ref: 00CCC8AE
        Strings
        • SEC_E_SMARTCARD_LOGON_REQUIRED, xrefs: 00CCCB61
        • SEC_E_DECRYPT_FAILURE, xrefs: 00CCC995
        • SEC_E_DELEGATION_REQUIRED, xrefs: 00CCC9A9
        • SEC_E_NO_IMPERSONATION, xrefs: 00CCCAAD
        • SEC_E_CRYPTO_SYSTEM_INVALID, xrefs: 00CCC98B
        • SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log., xrefs: 00CCCCD7
        • SEC_E_OUT_OF_SEQUENCE, xrefs: 00CCCAE9
        • SEC_E_CANNOT_PACK, xrefs: 00CCC94F
        • SEC_I_LOCAL_LOGON, xrefs: 00CCCCA9
        • SEC_E_ISSUING_CA_UNTRUSTED, xrefs: 00CCCA17
        • SEC_E_INVALID_PARAMETER, xrefs: 00CCCA03
        • SEC_I_COMPLETE_NEEDED, xrefs: 00CCCC94
        • CRYPT_E_REVOKED, xrefs: 00CCCBD9
        • SEC_E_KDC_UNABLE_TO_REFER, xrefs: 00CCCA49
        • SEC_E_CONTEXT_EXPIRED, xrefs: 00CCC977
        • SEC_E_KDC_UNKNOWN_ETYPE, xrefs: 00CCCA53
        • SEC_E_STRONG_CRYPTO_NOT_SUPPORTED, xrefs: 00CCCB6B
        • SEC_E_NO_PA_DATA, xrefs: 00CCCACB
        • SEC_E_DELEGATION_POLICY, xrefs: 00CCC99F
        • SEC_E_NO_CREDENTIALS, xrefs: 00CCCAA3
        • SEC_E_KDC_CERT_REVOKED, xrefs: 00CCCA35
        • SEC_E_BUFFER_TOO_SMALL, xrefs: 00CCC93B
        • SEC_E_KDC_INVALID_REQUEST, xrefs: 00CCCA3F
        • SEC_E_CERT_EXPIRED, xrefs: 00CCC959
        • SEC_E_BAD_BINDINGS, xrefs: 00CCC927
        • SEC_E_DOWNGRADE_DETECTED, xrefs: 00CCC9B3
        • SEC_E_SECURITY_QOS_FAILED, xrefs: 00CCCB39
        • SEC_I_NO_LSA_CONTEXT, xrefs: 00CCCCB0
        • SEC_E_SECPKG_NOT_FOUND, xrefs: 00CCCB2F
        • SEC_E_CERT_UNKNOWN, xrefs: 00CCC963
        • SEC_I_CONTEXT_EXPIRED, xrefs: 00CCCC9B
        • SEC_E_PKINIT_NAME_MISMATCH, xrefs: 00CCCAFD
        • SEC_E_KDC_CERT_EXPIRED, xrefs: 00CCCA2B
        • SEC_I_CONTINUE_NEEDED, xrefs: 00CCCBDF, 00CCCC6A
        • SEC_E_UNSUPPORTED_PREAUTH, xrefs: 00CCCBB1
        • SEC_E_NO_KERB_KEY, xrefs: 00CCCAC1
        • SEC_E_NO_IP_ADDRESSES, xrefs: 00CCCAB7
        • SEC_E_TARGET_UNKNOWN, xrefs: 00CCCB75
        • SEC_E_SHUTDOWN_IN_PROGRESS, xrefs: 00CCCB43
        • SEC_E_CERT_WRONG_USAGE, xrefs: 00CCC96D
        • SEC_E_UNTRUSTED_ROOT, xrefs: 00CCCBBB
        • SEC_E_REVOCATION_OFFLINE_C, xrefs: 00CCCB1B
        • SEC_E_NO_TGT_REPLY, xrefs: 00CCCADF
        • SEC_E_MAX_REFERRALS_EXCEEDED, xrefs: 00CCCA67
        • SEC_E_CANNOT_INSTALL, xrefs: 00CCC945
        • SEC_E_TOO_MANY_PRINCIPALS, xrefs: 00CCCB89
        • SEC_E_MULTIPLE_ACCOUNTS, xrefs: 00CCCA7B
        • SEC_E_CROSSREALM_DELEGATION_FAILURE, xrefs: 00CCC981
        • SEC_E_TIME_SKEW, xrefs: 00CCCB7F
        • Unknown error, xrefs: 00CCCCC5
        • SEC_E_REVOCATION_OFFLINE_KDC, xrefs: 00CCCB25
        • SEC_E_INSUFFICIENT_MEMORY, xrefs: 00CCC9E5
        • SEC_E_NOT_OWNER, xrefs: 00CCCA8F
        • SEC_I_COMPLETE_AND_CONTINUE, xrefs: 00CCCC8D
        • SEC_I_RENEGOTIATE, xrefs: 00CCCCB7
        • SEC_E_BAD_PKGID, xrefs: 00CCC931
        • SEC_E_ENCRYPT_FAILURE, xrefs: 00CCC9BD
        • SEC_E_PKINIT_CLIENT_FAILURE, xrefs: 00CCCAF3
        • SEC_I_SIGNATURE_NEEDED, xrefs: 00CCCCBE
        • %s (0x%08X), xrefs: 00CCCBE0
        • SEC_I_INCOMPLETE_CREDENTIALS, xrefs: 00CCCCA2
        • SEC_E_SMARTCARD_CERT_EXPIRED, xrefs: 00CCCB4D
        • SEC_E_MESSAGE_ALTERED, xrefs: 00CCCA71
        • SEC_E_INVALID_HANDLE, xrefs: 00CCC9F9
        • SEC_E_UNSUPPORTED_FUNCTION, xrefs: 00CCCBA7
        • SEC_E_QOP_NOT_SUPPORTED, xrefs: 00CCCB11
        • SEC_E_NO_AUTHENTICATING_AUTHORITY, xrefs: 00CCCA99
        • AcquireCredentialsHandle, xrefs: 00CCC8A6
        • SEC_E_INCOMPLETE_CREDENTIALS, xrefs: 00CCC9D1
        • SEC_E_UNKNOWN_CREDENTIALS, xrefs: 00CCCB9D
        • SEC_E_NO_S4U_PROT_SUPPORT, xrefs: 00CCCAD5
        • %s - %s, xrefs: 00CCCD03
        • SEC_E_ALGORITHM_MISMATCH, xrefs: 00CCC91D
        • SEC_E_INCOMPLETE_MESSAGE, xrefs: 00CCC9DB
        • SEC_E_INTERNAL_ERROR, xrefs: 00CCC9EF
        • SEC_E_WRONG_PRINCIPAL, xrefs: 00CCCBCF
        • SEC_E_UNFINISHED_CONTEXT_DELETED, xrefs: 00CCCB93
        • No error, xrefs: 00CCCC60
        • SEC_E_WRONG_CREDENTIAL_HANDLE, xrefs: 00CCCBC5
        • SEC_E_ILLEGAL_MESSAGE, xrefs: 00CCC9C7
        • SEC_E_INVALID_TOKEN, xrefs: 00CCCA0D
        • SEC_E_SMARTCARD_CERT_REVOKED, xrefs: 00CCCB57
        • SEC_E_POLICY_NLTM_ONLY, xrefs: 00CCCB07
        • SEC_E_LOGON_DENIED, xrefs: 00CCCA5D
        • SEC_E_MUST_BE_KDC, xrefs: 00CCCA85
        • SEC_E_ISSUING_CA_UNTRUSTED_KDC, xrefs: 00CCCA21
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ErrorLast
        • String ID: %s (0x%08X)$%s - %s$AcquireCredentialsHandle$CRYPT_E_REVOKED$No error$SEC_E_ALGORITHM_MISMATCH$SEC_E_BAD_BINDINGS$SEC_E_BAD_PKGID$SEC_E_BUFFER_TOO_SMALL$SEC_E_CANNOT_INSTALL$SEC_E_CANNOT_PACK$SEC_E_CERT_EXPIRED$SEC_E_CERT_UNKNOWN$SEC_E_CERT_WRONG_USAGE$SEC_E_CONTEXT_EXPIRED$SEC_E_CROSSREALM_DELEGATION_FAILURE$SEC_E_CRYPTO_SYSTEM_INVALID$SEC_E_DECRYPT_FAILURE$SEC_E_DELEGATION_POLICY$SEC_E_DELEGATION_REQUIRED$SEC_E_DOWNGRADE_DETECTED$SEC_E_ENCRYPT_FAILURE$SEC_E_ILLEGAL_MESSAGE$SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.$SEC_E_INCOMPLETE_CREDENTIALS$SEC_E_INCOMPLETE_MESSAGE$SEC_E_INSUFFICIENT_MEMORY$SEC_E_INTERNAL_ERROR$SEC_E_INVALID_HANDLE$SEC_E_INVALID_PARAMETER$SEC_E_INVALID_TOKEN$SEC_E_ISSUING_CA_UNTRUSTED$SEC_E_ISSUING_CA_UNTRUSTED_KDC$SEC_E_KDC_CERT_EXPIRED$SEC_E_KDC_CERT_REVOKED$SEC_E_KDC_INVALID_REQUEST$SEC_E_KDC_UNABLE_TO_REFER$SEC_E_KDC_UNKNOWN_ETYPE$SEC_E_LOGON_DENIED$SEC_E_MAX_REFERRALS_EXCEEDED$SEC_E_MESSAGE_ALTERED$SEC_E_MULTIPLE_ACCOUNTS$SEC_E_MUST_BE_KDC$SEC_E_NOT_OWNER$SEC_E_NO_AUTHENTICATING_AUTHORITY$SEC_E_NO_CREDENTIALS$SEC_E_NO_IMPERSONATION$SEC_E_NO_IP_ADDRESSES$SEC_E_NO_KERB_KEY$SEC_E_NO_PA_DATA$SEC_E_NO_S4U_PROT_SUPPORT$SEC_E_NO_TGT_REPLY$SEC_E_OUT_OF_SEQUENCE$SEC_E_PKINIT_CLIENT_FAILURE$SEC_E_PKINIT_NAME_MISMATCH$SEC_E_POLICY_NLTM_ONLY$SEC_E_QOP_NOT_SUPPORTED$SEC_E_REVOCATION_OFFLINE_C$SEC_E_REVOCATION_OFFLINE_KDC$SEC_E_SECPKG_NOT_FOUND$SEC_E_SECURITY_QOS_FAILED$SEC_E_SHUTDOWN_IN_PROGRESS$SEC_E_SMARTCARD_CERT_EXPIRED$SEC_E_SMARTCARD_CERT_REVOKED$SEC_E_SMARTCARD_LOGON_REQUIRED$SEC_E_STRONG_CRYPTO_NOT_SUPPORTED$SEC_E_TARGET_UNKNOWN$SEC_E_TIME_SKEW$SEC_E_TOO_MANY_PRINCIPALS$SEC_E_UNFINISHED_CONTEXT_DELETED$SEC_E_UNKNOWN_CREDENTIALS$SEC_E_UNSUPPORTED_FUNCTION$SEC_E_UNSUPPORTED_PREAUTH$SEC_E_UNTRUSTED_ROOT$SEC_E_WRONG_CREDENTIAL_HANDLE$SEC_E_WRONG_PRINCIPAL$SEC_I_COMPLETE_AND_CONTINUE$SEC_I_COMPLETE_NEEDED$SEC_I_CONTEXT_EXPIRED$SEC_I_CONTINUE_NEEDED$SEC_I_INCOMPLETE_CREDENTIALS$SEC_I_LOCAL_LOGON$SEC_I_NO_LSA_CONTEXT$SEC_I_RENEGOTIATE$SEC_I_SIGNATURE_NEEDED$Unknown error
        • API String ID: 1452528299-2953340572
        • Opcode ID: 1d6e08bd0c7a20e25899dc12346b1db7ef8ffebcbe365aa1224a6254ed91bbbe
        • Instruction ID: 840f552d687710ed3643fceb56e4675072b6870e086970fc9cc68aeafdfb932b
        • Opcode Fuzzy Hash: 1d6e08bd0c7a20e25899dc12346b1db7ef8ffebcbe365aa1224a6254ed91bbbe
        • Instruction Fuzzy Hash: D8A1E8E2A08288F7CB91569EC9E8F796A54E745380B20C83FF60FCB351D515CE866753
        Function 00C508E0 Relevance: 95.0, APIs: 63, Instructions: 541windowCOMMON
        Download Yara Rule
        APIs
        • CopyRect.USER32(?,?), ref: 00C50986
        • SetBkMode.GDI32(?,00000001), ref: 00C5098F
        • CreateSolidBrush.GDI32(00000000), ref: 00C509AD
        • FrameRect.USER32(?,?,00000000), ref: 00C509B8
        • InflateRect.USER32(?,000000FF,000000FF), ref: 00C509C7
        • DeleteObject.GDI32(00000000), ref: 00C509D2
        • GetSysColor.USER32(00000010), ref: 00C50A22
        • CreateSolidBrush.GDI32(00000000), ref: 00C50A29
        • FrameRect.USER32(?,?,00000000), ref: 00C50A34
        • DeleteObject.GDI32(00000000), ref: 00C50A43
        • GetSysColor.USER32(00000014), ref: 00C50A56
        • CreatePen.GDI32(00000000,00000000,00000000), ref: 00C50A63
        • GetSysColor.USER32(00000016), ref: 00C50A6B
        • CreatePen.GDI32(00000000,00000000,00000000), ref: 00C50A72
        • GetSysColor.USER32(00000010), ref: 00C50A7A
        • CreatePen.GDI32(00000000,00000000,00000000), ref: 00C50A81
        • GetSysColor.USER32(00000015), ref: 00C50A89
        • CreatePen.GDI32(00000000,00000000,00000000), ref: 00C50A90
        • GetSysColor.USER32(00000010), ref: 00C50AB1
        • GetSysColor.USER32(00000014), ref: 00C50AB6
        • SelectObject.GDI32(?,?), ref: 00C50AD8
        • MoveToEx.GDI32(?,?,?,00000000), ref: 00C50AEC
        • LineTo.GDI32(?,?,?), ref: 00C50B03
        • LineTo.GDI32(?,?,?), ref: 00C50B10
        • SelectObject.GDI32(?,?), ref: 00C50B18
        • MoveToEx.GDI32(?,?,?,00000000), ref: 00C50B29
        • LineTo.GDI32(?,?,?), ref: 00C50B3C
        • LineTo.GDI32(?,?,?), ref: 00C50B4A
        • SelectObject.GDI32(?,05A2C2A1), ref: 00C50B52
        • MoveToEx.GDI32(?,?,?,00000000), ref: 00C50B62
        • LineTo.GDI32(?,?,?), ref: 00C50B75
        • LineTo.GDI32(?,?,?), ref: 00C50B84
        • SelectObject.GDI32(?,?), ref: 00C50B8C
        • MoveToEx.GDI32(?,?,?,00000000), ref: 00C50B9F
        • LineTo.GDI32(?,?,?), ref: 00C50BB6
        • LineTo.GDI32(?,?,?), ref: 00C50BC6
        • SelectObject.GDI32(?,?), ref: 00C50BCE
        • DeleteObject.GDI32(05A2C2A1), ref: 00C50BDF
        • DeleteObject.GDI32(?), ref: 00C50BEA
        • DeleteObject.GDI32(?), ref: 00C50BF5
        • DeleteObject.GDI32(?), ref: 00C50C00
        • GetWindowTextLengthW.USER32(?), ref: 00C50C14
        • GetWindowTextW.USER32(?,?,00000001), ref: 00C50C44
        • CopyRect.USER32(?,?), ref: 00C50C54
        • SetBkColor.GDI32(?,00FFFFFF), ref: 00C50CA3
        • OffsetRect.USER32(?,00000001,00000001), ref: 00C50CF9
        • DrawTextW.USER32(?,?,000000FF,?,00000411), ref: 00C50D29
        • OffsetRect.USER32(?,?,?), ref: 00C50D61
        • SetBkMode.GDI32(?,00000001), ref: 00C50D66
        • OffsetRect.USER32(?,00000001,00000001), ref: 00C50D7C
        • GetSysColor.USER32(00000014), ref: 00C50D80
        • SetTextColor.GDI32(?,00000000), ref: 00C50D88
        • DrawTextW.USER32(?,?,000000FF,?,00000011), ref: 00C50D99
        • OffsetRect.USER32(?,000000FF,000000FF), ref: 00C50DA8
        • GetSysColor.USER32(00000010), ref: 00C50DAC
        • SetTextColor.GDI32(?,00000000), ref: 00C50DB4
        • DrawTextW.USER32(?,?,000000FF,?,00000011), ref: 00C50DF8
        • InflateRect.USER32(?,000000FD,000000FD), ref: 00C50E36
        • DrawFocusRect.USER32(?,?), ref: 00C50E42
        • InterlockedDecrement.KERNEL32(?), ref: 00C50E5C
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Color$ObjectRect$Line$Text$CreateDelete$Select$DrawMoveOffset$BrushCopyFrameInflateModeSolidWindow$DecrementFocusInterlockedLength
        • String ID:
        • API String ID: 954328197-0
        • Opcode ID: 1eda3113a5b1a2bcfd48ea2816c185a27865a715cbc638e4846d81c596fa62a0
        • Instruction ID: 9d6a3d78ed1e36479542669d40c4a8a457825de265dad96ea93f6106be29d4f9
        • Opcode Fuzzy Hash: 1eda3113a5b1a2bcfd48ea2816c185a27865a715cbc638e4846d81c596fa62a0
        • Instruction Fuzzy Hash: 54028C75108384AFE704DB64CC89FAFB7ECEF89711F104608FA9187291D7B4A985CB66
        Function 00C63280 Relevance: 37.3, APIs: 17, Strings: 4, Instructions: 506registrystringCOMMON
        Download Yara Rule
        APIs
        • lstrcmpiW.KERNEL32(?,?,?,?,Delete,?,05A2C2A1,?,?,?,?,?,00CDB126,000000FF), ref: 00C63329
        • lstrcmpiW.KERNEL32(?,ForceRemove,?,?,?,?,Delete,?,05A2C2A1,?,?,?,?,?,00CDB126,000000FF), ref: 00C63338
        • CharNextW.USER32(?,?,?,?,?,?,Delete,?,05A2C2A1,?,?,?,?,?,00CDB126,000000FF), ref: 00C63383
        • lstrlenW.KERNEL32(?,?,?,?,?,?,Delete,?,05A2C2A1,?,?,?,?,?,00CDB126,000000FF), ref: 00C63400
        • lstrcmpiW.KERNEL32(?,NoRemove,?,?,?,?,?,Delete,?,05A2C2A1,?,?,?,?,?,00CDB126), ref: 00C6345B
        • lstrcmpiW.KERNEL32(?,Val,?,?,?,?,Delete,?,05A2C2A1,?,?,?,?,?,00CDB126,000000FF), ref: 00C63483
        • RegDeleteValueW.ADVAPI32(?,?,?,?,?,?,?,?,Delete,?,05A2C2A1), ref: 00C6355D
        • RegCloseKey.ADVAPI32(?,?,?,?,?,Delete,?,05A2C2A1,?,?,?,?,?,00CDB126,000000FF), ref: 00C63575
        • CharNextW.USER32(?,?,?,?,?,Delete,?,05A2C2A1,?,?,?,?,?,00CDB126,000000FF), ref: 00C635A8
        • RegOpenKeyExW.ADVAPI32(?,?,00000000,0002001F,?,?,?,?,?,Delete,?,05A2C2A1), ref: 00C635E2
        • RegCloseKey.ADVAPI32(?,?,?,?,?,Delete,?,05A2C2A1,?,?,?,?,?,00CDB126,000000FF), ref: 00C635F7
        • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,?,?,?,Delete,?,05A2C2A1), ref: 00C63644
        • RegCloseKey.ADVAPI32(?,?,?,?,?,Delete,?,05A2C2A1,?,?,?,?,?,00CDB126,000000FF), ref: 00C6365F
          • Part of subcall function 00C620C0: CharNextW.USER32 ref: 00C620FD
          • Part of subcall function 00C620C0: CharNextW.USER32(00000000), ref: 00C6211D
          • Part of subcall function 00C620C0: CharNextW.USER32(00000000), ref: 00C62136
          • Part of subcall function 00C620C0: CharNextW.USER32 ref: 00C6213D
          • Part of subcall function 00C620C0: CharNextW.USER32(00000000), ref: 00C6218B
        • lstrlenW.KERNEL32(?,?), ref: 00C63731
        • RegCloseKey.ADVAPI32(?,?), ref: 00C6381B
        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00C63857
          • Part of subcall function 00C623C0: RegCloseKey.ADVAPI32 ref: 00C623CA
        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,Delete,?,05A2C2A1,?,?,?,?,?,00CDB126,000000FF), ref: 00C638FD
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CharNext$Close$lstrcmpi$Deletelstrlen$CreateOpenValue
        • String ID: Delete$ForceRemove$NoRemove$Val
        • API String ID: 294063509-1781481701
        • Opcode ID: 596901e501953f405f4700a8f3b6c711eb239d0f5ea15bd85acc6034f51bb302
        • Instruction ID: bacd2b1b1eaa433185861f8f49f0a1da37b1d24fa21dc45127c0edf43b74fe00
        • Opcode Fuzzy Hash: 596901e501953f405f4700a8f3b6c711eb239d0f5ea15bd85acc6034f51bb302
        • Instruction Fuzzy Hash: 2D02B2B15083959BC7349F65C8D4A6FB7E8AF88740F00092EF95697291DB74CF04DBA2
        Function 00C87E20 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 216libraryloaderCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C3B030: std::_String_base::_Xlen.LIBCPMT ref: 00C3B08C
          • Part of subcall function 00C6AEB0: GetTempPathW.KERNEL32(00000104,?,05A2C2A1,00000000,00000000), ref: 00C6AF38
          • Part of subcall function 00C6E5C0: FindResourceW.KERNEL32(00000000,?,?,?,?,0000000F,00000000,?,?,ARCHIVE_7Z,0000000A,?,00000010,00000000), ref: 00C6E62E
        • LoadLibraryW.KERNEL32(?), ref: 00C87F85
        • GetProcAddress.KERNEL32(00000000,00000001), ref: 00C87FAE
        • GetProcAddress.KERNEL32(00000000,00000003), ref: 00C87FB8
        • GetProcAddress.KERNEL32(00000000,0000000A), ref: 00C87FC2
        • GetProcAddress.KERNEL32(00000000,00000002), ref: 00C87FCC
        • GetProcAddress.KERNEL32(00000000,00000007), ref: 00C87FD6
        • GetProcAddress.KERNEL32(00000000,00000012), ref: 00C87FE0
        • GetProcAddress.KERNEL32(00000000,0000000C), ref: 00C87FEA
        • GetProcAddress.KERNEL32(00000000,00000006), ref: 00C87FF4
        • GetProcAddress.KERNEL32(00000000,00000004), ref: 00C87FFE
        • GetProcAddress.KERNEL32(00000000,00000010), ref: 00C88007
        • GetProcAddress.KERNEL32(00000000,00000005), ref: 00C88011
        • GetProcAddress.KERNEL32(00000000,00000011), ref: 00C8801B
        • GetProcAddress.KERNEL32(00000000,00000008), ref: 00C88025
        • GetProcAddress.KERNEL32(00000000,00000014), ref: 00C8802F
        • FreeLibrary.KERNEL32(00000000,Fail get Fusion functions,00000019), ref: 00C880BB
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: AddressProc$Library$FindFreeLoadPathResourceString_base::_TempXlenstd::_
        • String ID: DLL$FUSION_DLL$Fail get Fusion functions$Fail load Fusion dll$Fusion.dll
        • API String ID: 3687152578-371393605
        • Opcode ID: 989069c5a80a69c599a7c72d111e7c2a8da5bcc8b511d5748177ce5a03ff6e0b
        • Instruction ID: 2f9464777b3e05156af08442970ed8be7434a99472ba2c980b2089f0c799b6cd
        • Opcode Fuzzy Hash: 989069c5a80a69c599a7c72d111e7c2a8da5bcc8b511d5748177ce5a03ff6e0b
        • Instruction Fuzzy Hash: DD716271D083849FD720EF659C89B8B7BE8AB85704F44492FF258D6251DB74A508CF62
        Function 00C77970 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 206threadCOMMON
        Download Yara Rule
        APIs
        • FreeLibrary.KERNEL32(?), ref: 00C77988
        • FreeLibrary.KERNEL32(?), ref: 00C77992
        • RtlEnterCriticalSection.NTDLL(00D07434), ref: 00C779A6
        • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00C779BC
        • RtlLeaveCriticalSection.NTDLL(00D07434), ref: 00C77B1D
        • TerminateThread.KERNEL32(?,00000001), ref: 00C77B37
        • CloseHandle.KERNEL32(?), ref: 00C77B4A
        • RtlDeleteCriticalSection.NTDLL(?), ref: 00C77B59
        • CloseHandle.KERNEL32(?), ref: 00C77B62
        • CloseHandle.KERNEL32(?), ref: 00C77B6B
        • InterlockedDecrement.KERNEL32(00D07454), ref: 00C77B72
        • RtlDeleteCriticalSection.NTDLL(00D07434), ref: 00C77B81
        Strings
        • warning: removing Breakpad handler out of order, xrefs: 00C77A26
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CriticalSection$CloseHandle$DeleteFreeLibrary$DecrementEnterExceptionFilterInterlockedLeaveTerminateThreadUnhandled
        • String ID: warning: removing Breakpad handler out of order
        • API String ID: 1612214688-3173292377
        • Opcode ID: c0a04dfe14982a1e699f48fe6d9d90fa33fbe810700dfa93af8f3d7da3945250
        • Instruction ID: 5ecc42e7050b172ff18c740e1ef187ee2071899c289aa54e0e59b452afb427c1
        • Opcode Fuzzy Hash: c0a04dfe14982a1e699f48fe6d9d90fa33fbe810700dfa93af8f3d7da3945250
        • Instruction Fuzzy Hash: C871A2B1A047489BD720EF75D885B1AB7B5BF44310B148A1DE66E87311DB30FA04DB62
        Function 00CB8380 Relevance: 22.7, APIs: 15, Instructions: 185networkCOMMON
        Download Yara Rule
        APIs
        • socket.WS2_32 ref: 00CB83B1
        • htonl.WS2_32(7F000001), ref: 00CB83F0
        • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000010,00000004), ref: 00CB841D
        • bind.WS2_32(00000000,00000001,00000010), ref: 00CB8434
        • getsockname.WS2_32(00000000,00000001,00000006), ref: 00CB844E
        • listen.WS2_32(00000000,00000001), ref: 00CB8460
        • socket.WS2_32(00000002,00000001,00000000), ref: 00CB8475
        • connect.WS2_32(00000000,00000001,00000010), ref: 00CB848A
        • accept.WS2_32(00000000,00000000,00000000), ref: 00CB849E
        • send.WS2_32(?,?,?,00000000), ref: 00CB84E6
        • recv.WS2_32(FFFFFFFF,?,0000000C,00000000), ref: 00CB84FD
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: socket$acceptbindconnectgetsocknamehtonllistenrecvsendsetsockopt
        • String ID:
        • API String ID: 3412115556-0
        • Opcode ID: a8c6e3d5e0a03a476d706900276d67c5ffb48fbe02a15709ce0f298f56e8ebb5
        • Instruction ID: d01d0bce6d9e148a520fa4fb7192ea4e1374df4c14a469de816dd26ea3e31a2a
        • Opcode Fuzzy Hash: a8c6e3d5e0a03a476d706900276d67c5ffb48fbe02a15709ce0f298f56e8ebb5
        • Instruction Fuzzy Hash: A6517171604340ABE7209F788C85BAA77ADEF84320F544F19F6A6CA1D0EB71DA4DCB51
        Function 00C40920 Relevance: 21.4, APIs: 1, Strings: 11, Instructions: 440COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C48CA0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00C48D3A
        • GetVersionExW.KERNEL32 ref: 00C40DAB
          • Part of subcall function 00C6A5F0: RegOpenKeyExW.KERNEL32(?,?,00000000,00020119,?,0000000F,00000000,00CE2949,00000000,05A2C2A1,0000000F,00000000,00000010,00000000), ref: 00C6A650
          • Part of subcall function 00C3AE10: std::_String_base::_Xlen.LIBCPMT ref: 00C3AE5F
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Ios_base_dtorOpenString_base::_VersionXlenstd::_std::ios_base::_
        • String ID: '$/$0$1$2$3$4$9$:$installId$installId2
        • API String ID: 400326413-1781109313
        • Opcode ID: a32ea7c6dabf390fc42663c77ab9e98ffed71eda85eea41369f5daca4bee23ac
        • Instruction ID: 46dfdbd44e71c6e41c5d27e01245c61b9643723ebeff976d768797016bfb9eb3
        • Opcode Fuzzy Hash: a32ea7c6dabf390fc42663c77ab9e98ffed71eda85eea41369f5daca4bee23ac
        • Instruction Fuzzy Hash: F122EAB1849B809ED321DF3A8491BD7FBE8BFA5304F44495EE1EE83252DB706144CB66
        Function 00C97AB0 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 214encryptionCOMMON
        Download Yara Rule
        APIs
        • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,?,?,00000000,0000000F,00000000), ref: 00C97B2C
        • CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?,?,?,?,00000000,0000000F,00000000), ref: 00C97B47
        • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,00000000,0000000F,00000000), ref: 00C97B57
        • CryptHashData.ADVAPI32(?,?,?,00000000,?,?,?,00000000,0000000F,00000000), ref: 00C97B9B
        • CryptDestroyHash.ADVAPI32(?,?,?,?,00000000,0000000F,00000000), ref: 00C97BAA
        • CryptReleaseContext.ADVAPI32(00000002,00000000), ref: 00C97BB6
        • CryptGetHashParam.ADVAPI32 ref: 00C97C12
        • CryptDestroyHash.ADVAPI32(?), ref: 00C97C21
        • CryptDestroyHash.ADVAPI32(?), ref: 00C97C34
        • CryptReleaseContext.ADVAPI32(00000002,00000000), ref: 00C97C40
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Crypt$Hash$Context$DestroyRelease$AcquireCreateDataParam
        • String ID:
        • API String ID: 1920540483-3916222277
        • Opcode ID: e1d4362e0415ece7136a7bf361bc1d06d3cbe09a87a774ac6a62cfe492d43164
        • Instruction ID: f8988abd126a4704237ac0f8860bd8652d91249c264be7870dcc3a4315d1a7d3
        • Opcode Fuzzy Hash: e1d4362e0415ece7136a7bf361bc1d06d3cbe09a87a774ac6a62cfe492d43164
        • Instruction Fuzzy Hash: 7E7191B1619380AFD724DF28C888B6BB7EAFF94700F144A1DF19687251D770D948CB92
        Function 00CA32E0 Relevance: 16.9, Strings: 13, Instructions: 606COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: 5$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$Error text not found (please report)$LF)$UCP)$UTF8)$^$no error
        • API String ID: 0-2564216060
        • Opcode ID: fb0637d32e224f5212697effcb6cd55701a44c6aa3de729f431662fa4506ef38
        • Instruction ID: f49681aa9d20d8b0a05636fa5d45b835076def69d3bf7aa62169a8f6193351bd
        • Opcode Fuzzy Hash: fb0637d32e224f5212697effcb6cd55701a44c6aa3de729f431662fa4506ef38
        • Instruction Fuzzy Hash: E832D471A087829BD325CF29C85176BBBE1AF86308F14492EF4A9C7391E774DB44CB52
        Function 00CE7210 Relevance: 16.0, Strings: 11, Instructions: 2290COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: "col$1 /a$2378$730$avas$n IL$n IL$n YA$n YA$y YA$y YA
        • API String ID: 0-1632682491
        • Opcode ID: 645e76e841ca60e46e2118e4c3c212063859eaaf90ef15dc71e2a0ef297da685
        • Instruction ID: 501046da2ab9aae790f1e0cd9f2146e67e7761548f560634c1a5cddd50b34730
        • Opcode Fuzzy Hash: 645e76e841ca60e46e2118e4c3c212063859eaaf90ef15dc71e2a0ef297da685
        • Instruction Fuzzy Hash: AAD2883200DBC11ECB268A329B5B676BF28FA1372171817CEC5A24B4B3D6115F17D79A
        Function 00CE72B4 Relevance: 14.7, Strings: 10, Instructions: 2233COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: 1 /a$2378$730$avas$n IL$n IL$n YA$n YA$y YA$y YA
        • API String ID: 0-3000818156
        • Opcode ID: f4bb96a7c0eb3c658006d8f8a19f9fe17829dfaed5228dbf9b80ba7c35f0a94c
        • Instruction ID: 16deecebd0775537d187aa71ec7589228461f678b5a93fa8dfac077c6bdf844b
        • Opcode Fuzzy Hash: f4bb96a7c0eb3c658006d8f8a19f9fe17829dfaed5228dbf9b80ba7c35f0a94c
        • Instruction Fuzzy Hash: ABD2883200DBC11ECB168E329B5B676BF28FA1372171817CEC5A24A4B3D6115F1BD79A
        Function 00CE72F0 Relevance: 14.7, Strings: 10, Instructions: 2225COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: 1 /a$2378$730$avas$n IL$n IL$n YA$n YA$y YA$y YA
        • API String ID: 0-3000818156
        • Opcode ID: 999ade5cbc4e3098153b631656daca15b80a880cc9cc2f596c7498b609c82a3d
        • Instruction ID: c301052ce0020bf674ba9a3addc8895cc07d39ba364d38b37f41bac6a975f395
        • Opcode Fuzzy Hash: 999ade5cbc4e3098153b631656daca15b80a880cc9cc2f596c7498b609c82a3d
        • Instruction Fuzzy Hash: 46D2893200DBC11ECB268E329B5B676BF28FA1372171817CEC5A24A4B3D6115F17D79A
        Function 00CE7358 Relevance: 14.7, Strings: 10, Instructions: 2184COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: 1 /a$2378$730$avas$n IL$n IL$n YA$n YA$y YA$y YA
        • API String ID: 0-3000818156
        • Opcode ID: 568a3331903d1166d65d89d925ae2ca912e22e168a721ba183dc2c594ed62d0d
        • Instruction ID: 522436fafc18f213a9d746fc1695d88280a13ad4f90a9a58d8e0347355604c58
        • Opcode Fuzzy Hash: 568a3331903d1166d65d89d925ae2ca912e22e168a721ba183dc2c594ed62d0d
        • Instruction Fuzzy Hash: E9D29A3200DBC11ECB2A9E329B5B676BF28FA1371171817CEC5A24A4B3D6105F17D79A
        Function 00CE73E0 Relevance: 14.6, Strings: 10, Instructions: 2138COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: 1 /a$2378$730$avas$n IL$n IL$n YA$n YA$y YA$y YA
        • API String ID: 0-3000818156
        • Opcode ID: b75276aa23177851242bb1237f14ea914a8e988fc8e1378679f6f13b9335d2f7
        • Instruction ID: b405321da7fd0a8a8bc1c4e7e04711b3e0eef0739b05b356ad1a3bb287b431f7
        • Opcode Fuzzy Hash: b75276aa23177851242bb1237f14ea914a8e988fc8e1378679f6f13b9335d2f7
        • Instruction Fuzzy Hash: EFC29B3200DBC11ECB1A9E329B5B676BF28FA1372171817CEC5A24A4B3D6105F17D79A
        Function 00CE7428 Relevance: 14.6, Strings: 10, Instructions: 2121COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: 1 /a$2378$730$avas$n IL$n IL$n YA$n YA$y YA$y YA
        • API String ID: 0-3000818156
        • Opcode ID: 2f68bf1e7f3f786b8d36a12b62ed3ae88cc977604ed7605a54fede14e675ee7a
        • Instruction ID: 340e7e88ad0b4ca26352043e468f1029b29b68dbbd610165945daaebfec05fef
        • Opcode Fuzzy Hash: 2f68bf1e7f3f786b8d36a12b62ed3ae88cc977604ed7605a54fede14e675ee7a
        • Instruction Fuzzy Hash: DBC29B3200DBC11ECB2A9E329B5B676BF28FA1372171817CEC5A14A4B3D6105F17D79A
        Function 00CE7484 Relevance: 14.6, Strings: 10, Instructions: 2099COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: 1 /a$2378$730$avas$n IL$n IL$n YA$n YA$y YA$y YA
        • API String ID: 0-3000818156
        • Opcode ID: ed5c6555e38e207e6949705e876fd909e8427fe02cf207d002fb515e093efc13
        • Instruction ID: cbf022d48affc683b368200660bd56f85d34d7b88a5db2dd5def6ccf2a1c76ca
        • Opcode Fuzzy Hash: ed5c6555e38e207e6949705e876fd909e8427fe02cf207d002fb515e093efc13
        • Instruction Fuzzy Hash: C8C29A3200DBC11ECB2A9E329B5B676BF28FA1372171817CEC5A14A4B3D6105F17D79A
        Function 00CE770C Relevance: 14.4, Strings: 10, Instructions: 1901COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: 1 /a$2378$730$avas$n IL$n IL$n YA$n YA$y YA$y YA
        • API String ID: 0-3000818156
        • Opcode ID: 20f608bcec64e342c606f8a59b718503eaf153c74c9b91ff4f25a45859e4961e
        • Instruction ID: ddabdf87d31d6dd2a2e77604b2ba3bfa82febeb0032469d1c156b344c622aff3
        • Opcode Fuzzy Hash: 20f608bcec64e342c606f8a59b718503eaf153c74c9b91ff4f25a45859e4961e
        • Instruction Fuzzy Hash: F3B28B3200D7C12ECB299E239B5B6B6BF29FB1372171817CFC5A14A4B395105F1BC69A
        Function 00C75210 Relevance: 7.6, APIs: 5, Instructions: 127fileCOMMON
        Download Yara Rule
        APIs
        • PathCombineW.SHLWAPI ref: 00C75276
        • FindFirstFileW.KERNEL32(?,?), ref: 00C75289
        • PathCombineW.SHLWAPI(?,?,?), ref: 00C752C0
        • FindNextFileW.KERNEL32(00000000,?), ref: 00C75320
        • FindClose.KERNEL32(00000000), ref: 00C7532F
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Find$CombineFilePath$CloseFirstNext
        • String ID:
        • API String ID: 318233686-0
        • Opcode ID: 274a0f17cdf1027882ab1512ae930847d23994b9199b318f9b001a607811e023
        • Instruction ID: 9ab8ba9347bd9bf1839d61c694ca1da0e8c56e26f96174b2fd5d13474878b1f4
        • Opcode Fuzzy Hash: 274a0f17cdf1027882ab1512ae930847d23994b9199b318f9b001a607811e023
        • Instruction Fuzzy Hash: 5541B7B51187809FD360DF24D884B5B73E8FB84754F408A1DF59E872A1DBB4A504CB62
        Function 00CD5E26 Relevance: 7.6, APIs: 5, Instructions: 58COMMON
        Download Yara Rule
        APIs
        • IsDebuggerPresent.KERNEL32 ref: 00CD6B4D
        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00CD6B62
        • UnhandledExceptionFilter.KERNEL32(00CF57F0), ref: 00CD6B6D
        • GetCurrentProcess.KERNEL32(C0000409), ref: 00CD6B89
        • TerminateProcess.KERNEL32(00000000), ref: 00CD6B90
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
        • String ID:
        • API String ID: 2579439406-0
        • Opcode ID: 2dc18b1f03e37e02380e8f36ef7401c12e02986cd20b9e62392c7bd0a186ec56
        • Instruction ID: 33c52f6cdfa8229a72cc08b6312385347108ac7ef37fefe3355917ee2d5ba940
        • Opcode Fuzzy Hash: 2dc18b1f03e37e02380e8f36ef7401c12e02986cd20b9e62392c7bd0a186ec56
        • Instruction Fuzzy Hash: A121CDB4D18344DBE714EF28EC847583BA4FB08310F10415AE60DDA760EBB46A81CB29
        Function 00C82D90 Relevance: 6.9, Strings: 5, Instructions: 643COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CloseEnumOpen$String_base::_Xlenstd::_
        • String ID: Opera$Software\Microsoft\Windows\CurrentVersion\Uninstall$Software\Opera Software$Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall$Software\Wow6432Node\Opera Software
        • API String ID: 1979737782-276245442
        • Opcode ID: b810eac672c29dd6084f7430a39b484316429ae7f22a4cf041e5c33e780bfa9d
        • Instruction ID: 4f1cc724ec8b460863e3eea8276e3b36874d7ca6154f71e2059db669f7a2c46c
        • Opcode Fuzzy Hash: b810eac672c29dd6084f7430a39b484316429ae7f22a4cf041e5c33e780bfa9d
        • Instruction Fuzzy Hash: 2E32C4B15083808BD325EF68D885A5FFBE1AB84704F54492DF5D987342EB30EA45CBA7
        Function 00C9D2E0 Relevance: 5.8, Strings: 4, Instructions: 787COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: ERCP$VUUU$VUUU$VUUU
        • API String ID: 0-2165971703
        • Opcode ID: 3fd74bc41fe2d3b00401db7ef7437c442244eff2a4a5d6a763c5b26702ccf4df
        • Instruction ID: a778b2ffdc8baf2690fe529586c252d680c4ef53a1201e4cc120ab61c13e2080
        • Opcode Fuzzy Hash: 3fd74bc41fe2d3b00401db7ef7437c442244eff2a4a5d6a763c5b26702ccf4df
        • Instruction Fuzzy Hash: 9F62B2716083818FCB34CF19C4887AEB7E1BFD4704F188A2DE49AA7291D775DA85CB52
        Function 00C78180 Relevance: 4.6, APIs: 3, Instructions: 66threadCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C78CC0: RtlEnterCriticalSection.NTDLL(00D07434), ref: 00C78CC8
          • Part of subcall function 00C78CC0: SetUnhandledExceptionFilter.KERNEL32(?,030A2BC8,?,00C77C69,05A2C2A1), ref: 00C78CFD
        • GetCurrentThreadId.KERNEL32 ref: 00C781E0
        • SetUnhandledExceptionFilter.KERNEL32(00C78180), ref: 00C7821A
        • RtlLeaveCriticalSection.NTDLL(00D07434), ref: 00C78242
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CriticalExceptionFilterSectionUnhandled$CurrentEnterLeaveThread
        • String ID:
        • API String ID: 49404816-0
        • Opcode ID: 06ddc3bd11b490efe86733f3a59aff945a403c250a695a3b77a19c6fc0fafe06
        • Instruction ID: 8d24daff85bc588f6c8f28219a764e8b318c5a6379e44af51df5bca229f8a345
        • Opcode Fuzzy Hash: 06ddc3bd11b490efe86733f3a59aff945a403c250a695a3b77a19c6fc0fafe06
        • Instruction Fuzzy Hash: 0E210D716887509FD3219B14CC49B5EB794FB44710F14C51AFA6E93391CF346948C792
        Function 00C68A60 Relevance: 4.6, APIs: 3, Instructions: 52memoryCOMMON
        Download Yara Rule
        APIs
        • AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00C68AA3
        • CheckTokenMembership.ADVAPI32(00000000,?,?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000), ref: 00C68ABC
        • FreeSid.ADVAPI32(?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00C68ACF
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: AllocateCheckFreeInitializeMembershipToken
        • String ID:
        • API String ID: 3429775523-0
        • Opcode ID: e2e0f9dd7a76f6c435bcf332c2d9a794a2167950374b2b98fb97f807061ff93e
        • Instruction ID: 08a2bd213a1d56bf49860b5d3f4233fb2170bd330153c46b17fe283577b3433f
        • Opcode Fuzzy Hash: e2e0f9dd7a76f6c435bcf332c2d9a794a2167950374b2b98fb97f807061ff93e
        • Instruction Fuzzy Hash: 4A01217620D380BFD300DF6489D5A6FBBE9AB98740F848C5EF58687251D630D948DB27
        Function 00CCD670 Relevance: 4.2, Strings: 3, Instructions: 444COMMON
        Download Yara Rule
        Strings
        • %02d:%02d:%02d%n, xrefs: 00CCD84D
        • %02d:%02d%n, xrefs: 00CCD87B
        • %31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz], xrefs: 00CCD748
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: %02d:%02d%n$%02d:%02d:%02d%n$%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz]
        • API String ID: 0-1523987602
        • Opcode ID: da03720ed1ce6d6fa295b8c36de4ed89821b66a722028d59992708e51db4d129
        • Instruction ID: 37dc26a1ab26404d1fda590013aa032d5d9b0e516fc003e6d4aae8d8aef8a819
        • Opcode Fuzzy Hash: da03720ed1ce6d6fa295b8c36de4ed89821b66a722028d59992708e51db4d129
        • Instruction Fuzzy Hash: 72E190B1A087418FC714DF29C880B6EB7E1AFD5310F554A3EF5A687291EB31DA45CB82
        Function 00C73CE0 Relevance: 3.2, APIs: 2, Instructions: 153COMMON
        Download Yara Rule
        APIs
        • GetLocaleInfoW.KERNEL32(00000400,00000059,?,00000064,05A2C2A1,?,00000010,0000000F,00000000), ref: 00C73D3F
        • GetLocaleInfoW.KERNEL32(00000400,0000005A,?,00000064), ref: 00C73DD1
          • Part of subcall function 00C55DF0: GetLastError.KERNEL32(00000068,?,00C56B16,?), ref: 00C55DFA
          • Part of subcall function 00C69BF0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C69C1F
          • Part of subcall function 00C69BF0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000000,00000000,00000000), ref: 00C69C3E
          • Part of subcall function 00C3AD10: std::_String_base::_Xlen.LIBCPMT ref: 00C3AD4A
          • Part of subcall function 00C3AD10: std::_String_base::_Xlen.LIBCPMT ref: 00C3AD61
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharInfoLocaleMultiString_base::_WideXlenstd::_$ErrorLast
        • String ID:
        • API String ID: 2486368898-0
        • Opcode ID: 6994972edb5ae7836b4ce8ea4e33df2c3ae1c41339791812cce8f1c196513652
        • Instruction ID: 0e0214f0459cddedb31b6ca5fdb6192cd3ab0fc154c2c217c6bf1d42702b7790
        • Opcode Fuzzy Hash: 6994972edb5ae7836b4ce8ea4e33df2c3ae1c41339791812cce8f1c196513652
        • Instruction Fuzzy Hash: 5A51B1B15087809FD730DB24DC41B9BB7E9AB94714F404E2DF29A87281EB36D508DBA3
        Function 00C78CC0 Relevance: 3.0, APIs: 2, Instructions: 31COMMON
        Download Yara Rule
        APIs
        • RtlEnterCriticalSection.NTDLL(00D07434), ref: 00C78CC8
        • SetUnhandledExceptionFilter.KERNEL32(?,030A2BC8,?,00C77C69,05A2C2A1), ref: 00C78CFD
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CriticalEnterExceptionFilterSectionUnhandled
        • String ID:
        • API String ID: 1863718665-0
        • Opcode ID: e87b77b67badcfa824d5cfd75ee620d3bcb553f611e956a528b16907111a91cf
        • Instruction ID: 7751fea8754ba71b53a76faa89f030b3ebc12ce91f0d5c96e6c2ba136ccccb42
        • Opcode Fuzzy Hash: e87b77b67badcfa824d5cfd75ee620d3bcb553f611e956a528b16907111a91cf
        • Instruction Fuzzy Hash: 2CF0BD756012409FC714EF68D889E5A7BA5FB48311B158569E649CB326CA31E806DB60
        Function 00C78D90 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
        Download Yara Rule
        APIs
        • SetUnhandledExceptionFilter.KERNEL32(00C78180,00C77F42), ref: 00C78D95
        • RtlLeaveCriticalSection.NTDLL(00D07434), ref: 00C78DBD
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CriticalExceptionFilterLeaveSectionUnhandled
        • String ID:
        • API String ID: 2735283860-0
        • Opcode ID: dac38302d3bc137158f74dd70341bec636a7d7aea7d082cd54885a8a6434f463
        • Instruction ID: 82bbfe90862a43f0defa6fdf63c5cc684c15f35823e37134730ed1104ca71804
        • Opcode Fuzzy Hash: dac38302d3bc137158f74dd70341bec636a7d7aea7d082cd54885a8a6434f463
        • Instruction Fuzzy Hash: 5BC08C70AC83486BCA0077F0AC0BB1C7B30BF00B027808071F70C482B3CAA02054D6B2
        Function 00C32520 Relevance: 1.7, Strings: 1, Instructions: 450COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: (
        • API String ID: 0-3887548279
        • Opcode ID: 51141bfc0ad47eb6105353893a30759782378d270cb34b69e73447be82d03cad
        • Instruction ID: d301fd15213221dafd4abfed20b4dfafd3aa2ba1c9827c9fb06ecddb72d47935
        • Opcode Fuzzy Hash: 51141bfc0ad47eb6105353893a30759782378d270cb34b69e73447be82d03cad
        • Instruction Fuzzy Hash: 100238366283018FCB24DF28C58062AB7E1FFD9314F15486DE9A597351E731EE468B92
        Function 00C9FB00 Relevance: 1.6, Strings: 1, Instructions: 369COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: |
        • API String ID: 0-2343686810
        • Opcode ID: 19a9e0506c3f0f1e687151b65562fc6e204a84ddbc2a02954567975f8031f2f5
        • Instruction ID: a4c778ba7f6753b4349385ed078d4f40d86f94f8f15a1ed6ccb4b69cb918bd22
        • Opcode Fuzzy Hash: 19a9e0506c3f0f1e687151b65562fc6e204a84ddbc2a02954567975f8031f2f5
        • Instruction Fuzzy Hash: FBF14D745083818FCB24CF29C48466AFBE2BFD9314F18896EE8E987355D770D946CB92
        Function 00C73BE0 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,00000000,00000000,0000008C,00000068,0000089C,00000000,00C56085), ref: 00C68EFB
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00C68F32
        • GetDiskFreeSpaceExW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,00CDCD9E,000000FF,00C37C77,00000000,05A2C2A1), ref: 00C73C47
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiWide$DiskFreeSpace
        • String ID:
        • API String ID: 521878932-0
        • Opcode ID: 0bf44e2904b65e270c8fec17d7ea83cdb844b7b36690c98fca7f65c1a69c6913
        • Instruction ID: 18f3697fc5fe5e11940c92f36a3fda2603dc8c67c831b37ce90a0f5e1800d8b2
        • Opcode Fuzzy Hash: 0bf44e2904b65e270c8fec17d7ea83cdb844b7b36690c98fca7f65c1a69c6913
        • Instruction Fuzzy Hash: 69219FB5608340ABD714DF29DC41B4BB7E9EBC4724F448A2DF55993390EB35E6088BA2
        Function 00C9DE30 Relevance: 1.6, Strings: 1, Instructions: 320COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: ERCP
        • API String ID: 0-1384759551
        • Opcode ID: ca35906a2e9ad0babcc02aacfef52e5e62630348338a3842ad67f23d037e6c6a
        • Instruction ID: 23200be1d92d6848a5ecaac9093f37442b993ca69bfede74124f47d09d20672f
        • Opcode Fuzzy Hash: ca35906a2e9ad0babcc02aacfef52e5e62630348338a3842ad67f23d037e6c6a
        • Instruction Fuzzy Hash: 2791BE77704A108FC704BF79D85266AB3D1FFE8B20FD4452FE55AC6381EB2989089792
        Function 00C321F0 Relevance: 1.5, Strings: 1, Instructions: 298COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: (
        • API String ID: 0-3887548279
        • Opcode ID: f8ec92ae8f6702508cc752b15c4a5582b8733fa16180f681bc7460fe5cea1b5e
        • Instruction ID: dab7990559dd00264a8f8b0072a75903280a44f453eba1ea720bcd29258dd1bb
        • Opcode Fuzzy Hash: f8ec92ae8f6702508cc752b15c4a5582b8733fa16180f681bc7460fe5cea1b5e
        • Instruction Fuzzy Hash: 98A18C716143059FCF24DF59D88092AB7E5FFC8360F18492EE999CB311E235EE468B92
        Function 00CA3CD0 Relevance: 1.4, Strings: 1, Instructions: 165COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: ERCP
        • API String ID: 0-1384759551
        • Opcode ID: db5ebf1f34eef6dcdd65afdba06540b5767ced387dfb6766e2cee67130d188ab
        • Instruction ID: e41383e663a978290d7a829fa5ed5e66b799b71b710b2abbfb4ca4d4c4924df5
        • Opcode Fuzzy Hash: db5ebf1f34eef6dcdd65afdba06540b5767ced387dfb6766e2cee67130d188ab
        • Instruction Fuzzy Hash: 98513873D205324AA32C8A098858231E792EFD4361B1B43BEDD29B7796CDF88D51D6E4
        Function 00C864B0 Relevance: .5, Instructions: 527COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 28c5eae059b00031e449b56bf72508f2446ea2d4353e7d7871d671884cf92386
        • Instruction ID: d549641df52673307d88359da5047a3b71610f829210c9cb09d2162d2e7f0749
        • Opcode Fuzzy Hash: 28c5eae059b00031e449b56bf72508f2446ea2d4353e7d7871d671884cf92386
        • Instruction Fuzzy Hash: 341213B09083818FD719EF18C09476ABBE5EB84B0CF60585EF4D687391D774CA46CB8A
        Function 00C361E0 Relevance: .5, Instructions: 480COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 5aa8f99e4debf67f8f55d892750649391e3a0b77af247bd3a3bf8d23827b7de6
        • Instruction ID: 747644f83798531cbe36ecf941c3c0ac95d3bebcffa7994d5adbfa016f7188b7
        • Opcode Fuzzy Hash: 5aa8f99e4debf67f8f55d892750649391e3a0b77af247bd3a3bf8d23827b7de6
        • Instruction Fuzzy Hash: 41025A72A182119BDB0CCE28C48027DBBE2FBC4344F118A3DE89697794D774DC8ACB95
        Function 00C31BE0 Relevance: .5, Instructions: 458COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 9dd7f7da7473664e32795a30a6d9c59abb0d810c2ad002c6d0ac3c824f1d0164
        • Instruction ID: cf0118bb6f59538bdb01c9b154359f0d9627ae1a8163a0434a85aa3fa6120666
        • Opcode Fuzzy Hash: 9dd7f7da7473664e32795a30a6d9c59abb0d810c2ad002c6d0ac3c824f1d0164
        • Instruction Fuzzy Hash: 1CF1BEB16283158FDB28DF15D58072EB7E2BF98700F28891DEC959B215D730ED46CB82
        Function 00C99040 Relevance: .3, Instructions: 271COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: String_base::_Xlenstd::_
        • String ID:
        • API String ID: 1541887531-0
        • Opcode ID: 75c02b26fcca8e8f6524a307e6e79986c1dc257594e9662c4bba583d5d3a000b
        • Instruction ID: 6f1f720d0d6e3c6be4528de5c441f3d17f27d0a12018bb4b610c6d7a0086351f
        • Opcode Fuzzy Hash: 75c02b26fcca8e8f6524a307e6e79986c1dc257594e9662c4bba583d5d3a000b
        • Instruction Fuzzy Hash: BCA17C71518741AFCB24DF59C588AAFB7F8FB89B00F104A1EF49687691D770EA40CB92
        Function 00C351F0 Relevance: .2, Instructions: 204COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: b9f5213ede2cc1ff111ed0203ef0529fda46c6d0dc5433a32bf9357eed7000a8
        • Instruction ID: a9a00062b7050efe0f13324117d051abef3056c60217f97eb6ccf1b5ea3a12e6
        • Opcode Fuzzy Hash: b9f5213ede2cc1ff111ed0203ef0529fda46c6d0dc5433a32bf9357eed7000a8
        • Instruction Fuzzy Hash: A271D531A287918FC364CE39889426FFBE0EBD5341F540A2DE4E9D7291D231994ACBD6
        Function 00C31000 Relevance: .1, Instructions: 80COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: ae76f125385061e2937552b81658aad502ad10777d75684a3cd05f4b78b6ad7f
        • Instruction ID: 28aa92b782f78f8ce2d79bc3497898598633afcebb8e1544495518282df2e5c2
        • Opcode Fuzzy Hash: ae76f125385061e2937552b81658aad502ad10777d75684a3cd05f4b78b6ad7f
        • Instruction Fuzzy Hash: 83110D7E374D4607E71C4769ED3377921C2E344305B88A13CF68BCA3C1EE6D98958219
        Function 00C33FA0 Relevance: .1, Instructions: 63COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: bf479651f43a65df212b17ed442a8b5b2b0e269008130e016dfba473add0bc54
        • Instruction ID: bde3c1b2f684aaf6deaa1049e1fbf83b04942bebdb06eb010bf5d58b56013371
        • Opcode Fuzzy Hash: bf479651f43a65df212b17ed442a8b5b2b0e269008130e016dfba473add0bc54
        • Instruction Fuzzy Hash: A6110A33D64BB74BD33099ACDC8077677A1EF89354F5A42B0DE548B252D5389F4182E0
        Function 00CBD3F0 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 186COMMON
        Download Yara Rule
        APIs
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CBD43E
        • __allrem.LIBCMT ref: 00CBD471
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CBD47F
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CBD48F
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CBD4C3
        • __allrem.LIBCMT ref: 00CBD4F3
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CBD501
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CBD511
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CBD544
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CBD577
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CBD59C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem
        • String ID: %2I64d.%0I64dG$%2I64d.%0I64dM$%4I64dG$%4I64dM$%4I64dP$%4I64dT$%4I64dk$%5I64d
        • API String ID: 632788072-2102732564
        • Opcode ID: 9d5811556ce1ebf24f7c4bc03a253c7fb82f1b9637177fb32db77edfefd374d1
        • Instruction ID: 9a3ad1a50aac7bd9b031b4e025fa19b30d57c9ea8b2b137661860bee19cfb7bd
        • Opcode Fuzzy Hash: 9d5811556ce1ebf24f7c4bc03a253c7fb82f1b9637177fb32db77edfefd374d1
        • Instruction Fuzzy Hash: 7A419CFA78038035F431359A2C83FAB511D8BD2F59F21443AF707F62C2E9E5A955A079
        Function 00C4CE30 Relevance: 26.7, APIs: 1, Strings: 14, Instructions: 455timeCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C69360: RegCreateKeyExW.KERNEL32(?,?,00000000,00000000,00000000,00000002,00000000,?,?,0000000F,00000010,00000000,?,00000000,00000000), ref: 00C6939B
          • Part of subcall function 00C69360: RegSetValueExW.KERNEL32(?,?,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00C693FF
          • Part of subcall function 00C69360: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 00C6940F
        • GetSystemTime.KERNEL32(?), ref: 00C4D3A6
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CloseCreateSystemTimeValue
        • String ID: %.4d%.2d%.2d$DisplayIcon$DisplayName$HelpLink$InstallDate$InstallLocation$Publisher$Software\$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$VersionMajor$VersionMinor
        • API String ID: 838904857-2577997009
        • Opcode ID: 3cf9c9f7e93e718c06850e6f53e9a8131d304a4728a873b5220a63e9cfbed7ba
        • Instruction ID: 193966ce48591525560392f2df2e0ed84f3bfbab4229209b05715721cb573c60
        • Opcode Fuzzy Hash: 3cf9c9f7e93e718c06850e6f53e9a8131d304a4728a873b5220a63e9cfbed7ba
        • Instruction Fuzzy Hash: 7E02AFB14183809ED321EF659882B9FBBE8AFD8704F444D1EF6D952242E7759508CFA3
        Function 00C8F0D0 Relevance: 26.6, APIs: 7, Strings: 8, Instructions: 326COMMON
        Download Yara Rule
        APIs
        • EnumProcesses.PSAPI(?,00001000,?,05A2C2A1,74DF0F00,00000000,00000010,00000000,?,00CE019D,000000FF,00C91052), ref: 00C8F128
        • GetCurrentProcessId.KERNEL32(?,00001000,?,05A2C2A1,74DF0F00,00000000,00000010,00000000,?,00CE019D,000000FF,00C91052), ref: 00C8F140
        • OpenProcess.KERNEL32(00100411,00000000,?), ref: 00C8F172
        • GetProcessImageFileNameW.PSAPI(00000000,?,00000104), ref: 00C8F190
          • Part of subcall function 00C69BF0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C69C1F
          • Part of subcall function 00C69BF0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000000,00000000,00000000), ref: 00C69C3E
        • CloseHandle.KERNEL32(00000000,00000000,000000FF,74DF0F00,00000000,00000010,00000000,?,?,?,?,00000000,00CE0545,000000FF,00C80F0F,00000003), ref: 00C8F363
        • GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000104), ref: 00C8F39E
          • Part of subcall function 00C3AE10: std::_String_base::_Xlen.LIBCPMT ref: 00C3AE5F
        • EnumWindows.USER32(00C8D220,?), ref: 00C8F56C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Process$ByteCharEnumFileMultiNameWide$CloseCurrentHandleImageModuleOpenProcessesString_base::_WindowsXlenstd::_
        • String ID: Chrome$Firefox$Internet Explorer$Opera$chrome.exe$firefox.exe$iexplore.exe$opera.exe
        • API String ID: 1921377800-2013523961
        • Opcode ID: a9af66b0fe625b5434124875b5d7f57f6f8b9189ded04dd5b6f6e196d1fde68c
        • Instruction ID: ef7506dbe521a87936f79497e3270dc779c9e4d360c7ae297d977742ceaf01cb
        • Opcode Fuzzy Hash: a9af66b0fe625b5434124875b5d7f57f6f8b9189ded04dd5b6f6e196d1fde68c
        • Instruction Fuzzy Hash: 34D1AF745083809FC735EF25D881AEBB7E4AFD8704F00492EF69987291DBB09945CBA7
        Function 00C6FE80 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 216synchronizationCOMMON
        Download Yara Rule
        APIs
        • CreateMutexW.KERNEL32(00000000,00000001,?,-00000004,?,00000000), ref: 00C6FF54
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CreateMutex
        • String ID: D$f
        • API String ID: 1964310414-3723221445
        • Opcode ID: 6a96144e8da927319c7af88f5808aca268757a4f6300b20726caaddb4629aa86
        • Instruction ID: b565db66d954ac0a64791d76cf5a1529c748638e5b4f5a1633e80480393ff0ac
        • Opcode Fuzzy Hash: 6a96144e8da927319c7af88f5808aca268757a4f6300b20726caaddb4629aa86
        • Instruction Fuzzy Hash: E271AC71508340DBD720EB64DC85B6FB7E8AF95304F40891DF68987292DB35EA09DBA3
        Function 00C5B790 Relevance: 25.7, APIs: 17, Instructions: 174COMMON
        Download Yara Rule
        APIs
        • BeginPaint.USER32(?,?), ref: 00C5B7B6
        • GetClientRect.USER32(?,?), ref: 00C5B7CF
        • CreateSolidBrush.GDI32(?), ref: 00C5B7DC
        • FillRect.USER32(00000000,?,00000000), ref: 00C5B7EF
        • DeleteObject.GDI32(00000000), ref: 00C5B7F6
        • EndPaint.USER32(?,?), ref: 00C5B805
        • BeginPaint.USER32(?,?), ref: 00C5B83B
        • GetClientRect.USER32(?,?), ref: 00C5B865
        • SelectObject.GDI32(00000000,00000000), ref: 00C5B8A5
        • CreateSolidBrush.GDI32(?), ref: 00C5B8BA
        • FillRect.USER32(00000000,00000000,00000000), ref: 00C5B8CD
        • DeleteObject.GDI32(00000000), ref: 00C5B8D4
        • 73A24D40.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00C5B915
        • SelectObject.GDI32(00000000,?), ref: 00C5B921
        • DeleteDC.GDI32(00000000), ref: 00C5B92C
        • DeleteObject.GDI32(00000000), ref: 00C5B933
        • EndPaint.USER32(?,?), ref: 00C5B942
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Object$DeletePaintRect$BeginBrushClientCreateFillSelectSolid
        • String ID:
        • API String ID: 3591250188-0
        • Opcode ID: 65b797635330339c81816c5423d4efdc0b374da0411955fdbec0b21d81c809d2
        • Instruction ID: c557997535551480c998c7db15e586e8170b6d76ef16e0937ac73f6e01422ee6
        • Opcode Fuzzy Hash: 65b797635330339c81816c5423d4efdc0b374da0411955fdbec0b21d81c809d2
        • Instruction Fuzzy Hash: 14515DB6200642AFD314DB64DC89F6BB7ACFF88711F00461DFA5A97290DB74E944CBA1
        Function 00C56180 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 235sleepfilesynchronizationCOMMON
        Download Yara Rule
        APIs
        • CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 00C56256
        • ConnectNamedPipe.KERNEL32(000000FF,?), ref: 00C56269
          • Part of subcall function 00C56030: CreateNamedPipeW.KERNEL32(?,40080003,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00C560B1
        • GetLastError.KERNEL32 ref: 00C5628B
        • GetTickCount.KERNEL32 ref: 00C56305
        • Sleep.KERNEL32(00000064), ref: 00C56318
        • GetTickCount.KERNEL32 ref: 00C56324
          • Part of subcall function 00C55DF0: GetLastError.KERNEL32(00000068,?,00C56B16,?), ref: 00C55DFA
        • WaitForSingleObject.KERNEL32(?,?), ref: 00C56361
        • CloseHandle.KERNEL32(?,?), ref: 00C56376
        • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,40000000,00000000), ref: 00C56410
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Create$CountErrorLastNamedPipeTick$CloseConnectEventFileHandleObjectSingleSleepWait
        • String ID: ConnectNamedPipe failed: $CreateFile failed: $InterprocessMessenger::connect$Timeout exceeded$\\.\pipe\
        • API String ID: 624744538-674043421
        • Opcode ID: 89ba2c74c5dd95153d228eabc955a812f5d276e16fc571162f21a82014e3033a
        • Instruction ID: 5db31df5fca7b0faceb36967fa9789fd05ae6836380dfcaad743f72dd9a23fd2
        • Opcode Fuzzy Hash: 89ba2c74c5dd95153d228eabc955a812f5d276e16fc571162f21a82014e3033a
        • Instruction Fuzzy Hash: 4E91ADB55083809FD710EF64CC81B6FB7E8BB94305F504A2DF69983292DB3499889B67
        Function 00C55A90 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 183COMMON
        Download Yara Rule
        Strings
        • STATUS:ADMIN, xrefs: 00C55CB9
        • unable to listen on admin-proxy pipes, xrefs: 00C55AF6
        • ShellExecute for admin-proxy failed - , xrefs: 00C55B65
        • ConnectNamedPipe for admin-proxy failed - , xrefs: 00C55BE4
        • got adminStatus from admin-proxy - , xrefs: 00C55C7C
        • AdministrativeProxy is already running, xrefs: 00C55AD1
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: AdministrativeProxy is already running$ConnectNamedPipe for admin-proxy failed - $STATUS:ADMIN$ShellExecute for admin-proxy failed - $got adminStatus from admin-proxy - $unable to listen on admin-proxy pipes
        • API String ID: 0-263646754
        • Opcode ID: 719d28e50d11c483e2f84706f9660abc0e9b7e7ea9a4e152756dac12fe9ecd88
        • Instruction ID: 68269d296e60e76adba4f6f87f83b417d288f38f89c13298785bd7d8a1972601
        • Opcode Fuzzy Hash: 719d28e50d11c483e2f84706f9660abc0e9b7e7ea9a4e152756dac12fe9ecd88
        • Instruction Fuzzy Hash: 3F61DE71118380ABD324EB60CC96F9BB7E8BF55700F104A1CF6A6962D1EF74A50C9B67
        Function 00C601F0 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 109registryclipboardCOMMON
        Download Yara Rule
        APIs
        • RtlEnterCriticalSection.NTDLL(00D078D0), ref: 00C601FC
        • RegisterClipboardFormatW.USER32(WM_ATLGETHOST), ref: 00C6020D
        • RegisterClipboardFormatW.USER32(WM_ATLGETCONTROL), ref: 00C60219
        • GetClassInfoExW.USER32(00C30000,AtlAxWin90,?), ref: 00C60240
        • LoadCursorW.USER32 ref: 00C6027E
        • RegisterClassExW.USER32 ref: 00C602A1
        • GetClassInfoExW.USER32(00C30000,AtlAxWinLic90,?), ref: 00C602EA
        • LoadCursorW.USER32 ref: 00C60322
        • RegisterClassExW.USER32 ref: 00C60345
        • RtlLeaveCriticalSection.NTDLL(00D078D0), ref: 00C60374
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ClassRegister$ClipboardCriticalCursorFormatInfoLoadSection$EnterLeave
        • String ID: AtlAxWin90$AtlAxWinLic90$WM_ATLGETCONTROL$WM_ATLGETHOST
        • API String ID: 1448039599-2573294316
        • Opcode ID: 4dfc139a10dd8923f6c67f82926667f0bd025ece25d60b6aebf6a7053b246dcb
        • Instruction ID: 8756c19b29f758707c57d22cb5e4030eb1df02aa4fc8d2d62bfe9bf1fafa20d7
        • Opcode Fuzzy Hash: 4dfc139a10dd8923f6c67f82926667f0bd025ece25d60b6aebf6a7053b246dcb
        • Instruction Fuzzy Hash: 984147B19193509FC310DF159C88B5FBBE8FB88B14F404A2EF58897250D7749909CFA6
        Function 00CBDED0 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 335COMMON
        Download Yara Rule
        APIs
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CBDF2F
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CBDFBE
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CBDFDE
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CBE017
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CBE057
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CBE077
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CBE0B2
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CBE1A3
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CBE1CB
        Strings
        • %3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s, xrefs: 00CBE2B7
        • %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed, xrefs: 00CBDF73
        • ** Resuming transfer from byte position %I64d, xrefs: 00CBDF5F
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
        • String ID: %3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$** Resuming transfer from byte position %I64d
        • API String ID: 885266447-664487449
        • Opcode ID: 90142528681f702f755361a904471204f893108453a4f2f41fd2ca13e7af1e3c
        • Instruction ID: 452939dbcbdf36e16f08b94c822136ed8d268c63dce13d47ea3291b5a088d7a6
        • Opcode Fuzzy Hash: 90142528681f702f755361a904471204f893108453a4f2f41fd2ca13e7af1e3c
        • Instruction Fuzzy Hash: 40C1B0B5604745AFE218EB68CC81EEBF7A8FB84704F00461DF96993241DB71BC54DBA2
        Function 00C62830 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 226stringCOMMON
        Download Yara Rule
        APIs
        • lstrlenW.KERNEL32(?,05A2C2A1,?), ref: 00C6288C
        • CharNextW.USER32 ref: 00C62912
        • CharNextW.USER32(00000000), ref: 00C62917
        • CharNextW.USER32(00000000), ref: 00C6291C
        • CharNextW.USER32(00000000), ref: 00C62921
        • CharNextW.USER32(C8000000), ref: 00C629CD
        • CharNextW.USER32(?,00000000), ref: 00C62A38
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CharNext$lstrlen
        • String ID: }}$HKCR$HKCU{Software{Classes
        • API String ID: 2675299387-1142484189
        • Opcode ID: 7469facac2a4426ac5f006aae6619982d541ff74867b3be3fe5bc6bd97acfe7b
        • Instruction ID: adde418e732a8b0df6662678a6070d86d672b12e238ce3f99d67031ce94f37ae
        • Opcode Fuzzy Hash: 7469facac2a4426ac5f006aae6619982d541ff74867b3be3fe5bc6bd97acfe7b
        • Instruction Fuzzy Hash: 9C819C716087419FC734DF65C884B2AB7E8EF98304F14492DF9D587281EB78DA84DB62
        Function 00C6F5F0 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 225filesynchronizationCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,00000000,00000000,0000008C,00000068,0000089C,00000000,00C56085), ref: 00C68EFB
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00C68F32
        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,00000080,00000000), ref: 00C6F670
        • WriteFile.KERNEL32(00000000,--quit-application,--quit-application,?,00000000), ref: 00C6F69B
        • CloseHandle.KERNEL32(00000000), ref: 00C6F6A2
        • WaitForSingleObject.KERNEL32(00000000,00002710,?,?,05A2C2A1,00000010,?,?,00000000), ref: 00C6F6D1
        • TerminateProcess.KERNEL32(00000000,00000001,?,?,05A2C2A1,00000010,?,?,00000000), ref: 00C6F6DE
        • WaitForSingleObject.KERNEL32(00000000,00002710,?,?,05A2C2A1,00000010,?,?,00000000), ref: 00C6F6F2
          • Part of subcall function 00C55DF0: GetLastError.KERNEL32(00000068,?,00C56B16,?), ref: 00C55DFA
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharFileMultiObjectSingleWaitWide$CloseCreateErrorHandleLastProcessTerminateWrite
        • String ID: --quit-application$TerminateProcess failed: $WaitForSingleObject failed: $WaitForSingleObject timed out$WaitForSingleObject unknown error$\\.\pipe\
        • API String ID: 1433193461-2555663530
        • Opcode ID: 879212b27b669f192fabefd35d4a3fcc507b562a328fca9dd3735f29fc1628fe
        • Instruction ID: e215e519fe8bc59ab264d42fb697c88e17a0d19ece0db37af7734ccda2655bc9
        • Opcode Fuzzy Hash: 879212b27b669f192fabefd35d4a3fcc507b562a328fca9dd3735f29fc1628fe
        • Instruction Fuzzy Hash: F36137725083405FD314AB649C82BAFB7D9EB85760F400A3DF955832D2EB39E90997A2
        Function 00C73700 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 179COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,00000000,00000000,0000008C,00000068,0000089C,00000000,00C56085), ref: 00C68EFB
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00C68F32
        • FindResourceW.KERNEL32(00000000,?,TEXT), ref: 00C73755
        • LoadResource.KERNEL32(00000000,00000000), ref: 00C73826
        • GetLastError.KERNEL32 ref: 00C73834
          • Part of subcall function 00C6D850: LocalFree.KERNEL32(?), ref: 00C6D951
          • Part of subcall function 00C3AE10: std::_String_base::_Xlen.LIBCPMT ref: 00C3AE5F
        • LockResource.KERNEL32(00000000), ref: 00C738C0
        • GetLastError.KERNEL32 ref: 00C738CA
        • GetLastError.KERNEL32 ref: 00C73765
          • Part of subcall function 00C6D850: FormatMessageW.KERNEL32(00001100,00000000,?,00000800,?,00000000,00000000,?,?,?,0000000F), ref: 00C6D8DF
          • Part of subcall function 00C6D850: GetLastError.KERNEL32(?,?,?,0000000F), ref: 00C6D8E9
          • Part of subcall function 00C6D850: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00C6D98E
        • SizeofResource.KERNEL32(00000000,00000000), ref: 00C737F1
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ErrorLastResource$ByteCharMultiWide$FindFormatFreeIos_base_dtorLoadLocalLockMessageSizeofString_base::_Xlenstd::_std::ios_base::_
        • String ID: FindResource error: $LoadResource error: $LockResource error: $TEXT$Zero-sized resource
        • API String ID: 3828103314-2387353103
        • Opcode ID: 771c08b62ae4cf59a5a5e74436a332c4cc1754d463f3d28b163f1f80bf3c43fc
        • Instruction ID: 808df5d17a3d4b4f3988e27e0a554522cdd50a4177e70424f3ead4940c462e05
        • Opcode Fuzzy Hash: 771c08b62ae4cf59a5a5e74436a332c4cc1754d463f3d28b163f1f80bf3c43fc
        • Instruction Fuzzy Hash: 605180B1518380ABC710EF25C885A5FBBEDAF94714F444D2DF19A97382D734DA049BA3
        Function 00C58630 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 170COMMON
        Download Yara Rule
        APIs
        • GetParent.USER32 ref: 00C58663
        • GetWindow.USER32(?,00000004), ref: 00C5866C
        • GetWindowRect.USER32(?,?), ref: 00C5867C
        • MonitorFromWindow.USER32(?,00000002), ref: 00C586B0
        • GetMonitorInfoW.USER32 ref: 00C586D9
        • GetWindowRect.USER32(?,?), ref: 00C5871F
        • SetWindowPos.USER32(00000000,00000000,00000000,?,000000FF,000000FF,00000015,?,?), ref: 00C587DB
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Window$MonitorRect$FromInfoParent
        • String ID: (
        • API String ID: 568100639-3887548279
        • Opcode ID: 56909bf47fafe89258740d3fa22ee7c7dcafc5b8fc7693cbefa5c018c633fbff
        • Instruction ID: 0fbb166c7fbe7147731e2f79c6b4991483221f8f763d637071a10feeac140216
        • Opcode Fuzzy Hash: 56909bf47fafe89258740d3fa22ee7c7dcafc5b8fc7693cbefa5c018c633fbff
        • Instruction Fuzzy Hash: 16516B752083019FC314CF29CD84B6EB7E9EB88751F244A2DF855E7290EB30ED498B96
        Function 00CA7BD0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 96networklibraryloaderCOMMON
        Download Yara Rule
        APIs
        • WSAStartup.WS2_32(00000202,?), ref: 00CA7BFB
        • WSACleanup.WS2_32 ref: 00CA7C17
        • GetProcAddress.KERNEL32(00000000,if_nametoindex), ref: 00CA7C60
        • VerSetConditionMask.NTDLL ref: 00CA7CB2
        • VerSetConditionMask.NTDLL(00000000,?,00000001,00000003), ref: 00CA7CBA
        • VerSetConditionMask.NTDLL(00000000,?,00000020,00000003), ref: 00CA7CC2
        • VerSetConditionMask.NTDLL(00000000,?,00000010,00000003), ref: 00CA7CCA
        • VerSetConditionMask.NTDLL(00000000,?,00000008,00000001), ref: 00CA7CD2
        • VerifyVersionInfoA.KERNEL32(00000000,00000033,00000000), ref: 00CA7CDD
        • QueryPerformanceFrequency.KERNEL32(00D07E98,?,?,00000008,00000001,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 00CA7CF3
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ConditionMask$AddressCleanupFrequencyInfoPerformanceProcQueryStartupVerifyVersion
        • String ID: if_nametoindex$iphlpapi.dll
        • API String ID: 2827926706-3097795196
        • Opcode ID: 2a16fd784329102770017b409e5816c1a7b0ec3fcb41252e9be4230205c99e69
        • Instruction ID: eafaffadafc270eaa7653934749fef82dc20385c5f5acf7f8d406c44ba2e9127
        • Opcode Fuzzy Hash: 2a16fd784329102770017b409e5816c1a7b0ec3fcb41252e9be4230205c99e69
        • Instruction Fuzzy Hash: 2731B670A443466AF7309B70DC4FF6F7A98AB45B14F400919F5459E1C1DAB99604CB62
        Function 00CD4FA0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 68memorylibraryloaderCOMMON
        Download Yara Rule
        APIs
        • IsProcessorFeaturePresent.KERNEL32(0000000C,00CD5076,?,00C510CE,?,00C505AB,00000000), ref: 00CD4FA2
        • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00000000,?,00C505AB,00000000), ref: 00CD4FBB
        • GetProcAddress.KERNEL32(00000000,InterlockedPushEntrySList), ref: 00CD4FD5
        • GetProcAddress.KERNEL32(00000000,InterlockedPopEntrySList), ref: 00CD4FE2
        • GetProcessHeap.KERNEL32(00000000,00000008,?,00C505AB,00000000), ref: 00CD5014
        • RtlAllocateHeap.NTDLL(00000000,?,00C505AB), ref: 00CD5017
        • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00CD502D
        • GetProcessHeap.KERNEL32(00000000,00000000,?,00C505AB,00000000), ref: 00CD503A
        • HeapFree.KERNEL32(00000000,?,00C505AB,00000000), ref: 00CD503D
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Heap$AddressProcProcess$AllocateCompareExchangeFeatureFreeInterlockedLibraryLoadPresentProcessor
        • String ID: InterlockedPopEntrySList$InterlockedPushEntrySList$kernel32.dll
        • API String ID: 3762069661-2586642590
        • Opcode ID: f8bd62bd6167d61358ec14da5dc7e9e3ad019689817e9e229ce734293c54c367
        • Instruction ID: aa2ff4119a749f06adb47adfa3c321232efa7c025ed67c153e58050169772151
        • Opcode Fuzzy Hash: f8bd62bd6167d61358ec14da5dc7e9e3ad019689817e9e229ce734293c54c367
        • Instruction Fuzzy Hash: 2E115B72A54781DFDB60AF75AC88F2A3BE8FB48751704443BE345CB350DB70A940CA60
        Function 00C4F3A0 Relevance: 19.6, APIs: 13, Instructions: 102COMMON
        Download Yara Rule
        APIs
        • SelectObject.GDI32(00000000,?), ref: 00C4F3EC
        • SelectObject.GDI32(00000000,00000000), ref: 00C4F3F4
        • SetBkColor.GDI32(00000000,?), ref: 00C4F406
        • 73A24D40.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00C4F425
        • SetTextColor.GDI32(00000000,00FFFFFF), ref: 00C4F431
        • SetBkColor.GDI32(00000000,00000000), ref: 00C4F43E
        • 73A24D40.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,008800C6), ref: 00C4F459
        • SetTextColor.GDI32(00000000,?), ref: 00C4F465
        • SetBkColor.GDI32(00000000,?), ref: 00C4F471
        • SelectObject.GDI32(00000000,?), ref: 00C4F479
        • SelectObject.GDI32(00000000,?), ref: 00C4F481
        • DeleteDC.GDI32(00000000), ref: 00C4F48A
        • DeleteDC.GDI32(00000000), ref: 00C4F48D
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Color$ObjectSelect$DeleteText
        • String ID:
        • API String ID: 1164337235-0
        • Opcode ID: 847254e48ca9acb13ab7ca9123ecf7f1801ece1a4f0744918f6ed59de8933cda
        • Instruction ID: 62e5213342ef4e90b38e5ba11d8c41e541a50a406da5dc3471d5e7897d273625
        • Opcode Fuzzy Hash: 847254e48ca9acb13ab7ca9123ecf7f1801ece1a4f0744918f6ed59de8933cda
        • Instruction Fuzzy Hash: C6314B71644304BBE220DB659C86F6FBBECEFC9B50F10451DF644A7290D6B0E9058BAA
        Function 00C96050 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 209fileCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,00000000,00000000,0000008C,00000068,0000089C,00000000,00C56085), ref: 00C68EFB
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00C68F32
        • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,00000000), ref: 00C960D9
        • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,00000001,?,00000000), ref: 00C961B3
        • CloseHandle.KERNEL32(00000000,?,?,?,00CE2A70,?,?,?,?,?,00000001,?,00000000), ref: 00C9624C
        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00C96314
          • Part of subcall function 00C55DF0: GetLastError.KERNEL32(00000068,?,00C56B16,?), ref: 00C55DFA
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharFileMultiWide$CloseCreateErrorHandleIos_base_dtorLastSizestd::ios_base::_
        • String ID: information:$CreateFile error - $Error getting file size - $Error while calculating sha1 - $File $File size: $File's sha1:
        • API String ID: 4176796106-760261076
        • Opcode ID: e12c8475cfc9a2eb565892b748ff0b28111d551c8f18fa9d977fc8452e6f6576
        • Instruction ID: b8dd0e9936f374323d8c96457a323c2149f9cfc55b813ccf08e3566bfd88e9c3
        • Opcode Fuzzy Hash: e12c8475cfc9a2eb565892b748ff0b28111d551c8f18fa9d977fc8452e6f6576
        • Instruction Fuzzy Hash: DA7108B1508380ABD720EF21DC46F9FB7E8AF94705F004C2DF58993281EB7596189BA3
        Function 00C89EA0 Relevance: 18.2, APIs: 1, Strings: 11, Instructions: 204sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNEL32(00000064,FusionSeparated init - start,0000001C), ref: 00C89EFE
          • Part of subcall function 00C3B030: std::_String_base::_Xlen.LIBCPMT ref: 00C3B08C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: SleepString_base::_Xlenstd::_
        • String ID: Fail hello client pipe$FusionSeparated init - end$FusionSeparated init - initiated$FusionSeparated init - start$FusionSeparated init - stat$No fusion process while wait init$d$fusion-bundle.exe$fusion-hello$fusion-initiated$fusion-stat
        • API String ID: 850321860-1736376930
        • Opcode ID: 012d26507146d32d4c5bfc1c8fbb413711ac861ab6b18504400034eda4b3bafa
        • Instruction ID: 9bb9f41ff7a97c0c5752143ed85986cc1250ab90f8a5a4218761f4e108a5e8b4
        • Opcode Fuzzy Hash: 012d26507146d32d4c5bfc1c8fbb413711ac861ab6b18504400034eda4b3bafa
        • Instruction Fuzzy Hash: 9A71F4B16043809FD714EF15D886B2FB7E0AF84708F400A2EF69247282EB75D949DB97
        Function 00C894A0 Relevance: 18.2, APIs: 1, Strings: 11, Instructions: 178sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNEL32(00000064,FusionSeparated showWindow - start,00000022,05A2C2A1), ref: 00C894F2
        Strings
        • No fusion process while wait installing, xrefs: 00C89648
        • fusion-installing, xrefs: 00C89587
        • FusionSeparated showWindow - start, xrefs: 00C894DB, 00C8966F
        • fusion-showing, xrefs: 00C89529
        • FusionSeparated showWindow - stat, xrefs: 00C8960B
        • No fusion process while wait showing, xrefs: 00C8963F
        • FusionSeparated showWindow - end, xrefs: 00C89693
        • fusion-bundle.exe, xrefs: 00C895D7
        • FusionSeparated showWindow - installing, xrefs: 00C895AC
        • fusion-stat, xrefs: 00C895C2
        • FusionSeparated showWindow - showing, xrefs: 00C8954E
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Sleep
        • String ID: FusionSeparated showWindow - end$FusionSeparated showWindow - installing$FusionSeparated showWindow - showing$FusionSeparated showWindow - start$FusionSeparated showWindow - stat$No fusion process while wait installing$No fusion process while wait showing$fusion-bundle.exe$fusion-installing$fusion-showing$fusion-stat
        • API String ID: 3472027048-3675115871
        • Opcode ID: 39c022fe8a9641a12bb4391ad3ad2b9e51c8783e5a2acfb2ffe3e50b194b7100
        • Instruction ID: 8429bb99faf090b7d68c695380f1f207d0d474ea880c4f5f09200741ed198c30
        • Opcode Fuzzy Hash: 39c022fe8a9641a12bb4391ad3ad2b9e51c8783e5a2acfb2ffe3e50b194b7100
        • Instruction Fuzzy Hash: 2A515571614340AFCB15FF658882B6FB3E5EB88708F44092DF59697282EA70D905CB97
        Function 00C75730 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 243COMMON
        Download Yara Rule
        APIs
        • CoInitialize.OLE32(00000000), ref: 00C7578F
        • SHGetSpecialFolderLocation.SHELL32(00000000,?,?), ref: 00C757A7
        • SHGetSpecialFolderLocation.SHELL32(00000000,?,?), ref: 00C758EE
        • SHBrowseForFolderW.SHELL32 ref: 00C7599F
        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C759F1
          • Part of subcall function 00C3AE10: std::_String_base::_Xlen.LIBCPMT ref: 00C3AE5F
        • SHGetPathFromIDListW.SHELL32(?,?), ref: 00C75849
          • Part of subcall function 00C48CA0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00C48D3A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Folder$FromListLocationPathSpecial$BrowseInitializeIos_base_dtorString_base::_Xlenstd::_std::ios_base::_
        • String ID: A$SHBrowseForFolder returned 0$SHGetPathFromIDList failed: $SHGetSpecialFolderLocation failed:
        • API String ID: 3653647896-4115638718
        • Opcode ID: 0cf509db952aae529d6ea5d5b83f01f71638bd1469e40a006a16d16df4bb5942
        • Instruction ID: 733ed2c982a8f451cc4fcb77b5b67955bc34fb9966f2a534ff19b4878aae32c7
        • Opcode Fuzzy Hash: 0cf509db952aae529d6ea5d5b83f01f71638bd1469e40a006a16d16df4bb5942
        • Instruction Fuzzy Hash: AC917DB15087409FC320DF15D981B6FBBE9ABD8714F408E2DF18987291DB759908CBA3
        Function 00C77C10 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 223libraryloaderthreadCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C78CC0: RtlEnterCriticalSection.NTDLL(00D07434), ref: 00C78CC8
          • Part of subcall function 00C78CC0: SetUnhandledExceptionFilter.KERNEL32(?,030A2BC8,?,00C77C69,05A2C2A1), ref: 00C78CFD
        • GetModuleHandleW.KERNEL32 ref: 00C77D3D
        • GetProcAddress.KERNEL32(00000000), ref: 00C77D44
        • GetCurrentThreadId.KERNEL32 ref: 00C77D9C
        • GetModuleHandleW.KERNEL32(kernel32,RtlCaptureContext,?,?,?,?,00000000,00000308,05A2C2A1,?,05A2C2A1), ref: 00C77EA1
        • GetProcAddress.KERNEL32(00000000), ref: 00C77EA8
        • GetCurrentThreadId.KERNEL32 ref: 00C77EFA
          • Part of subcall function 00C77020: RtlEnterCriticalSection.NTDLL(?), ref: 00C7702B
          • Part of subcall function 00C77020: RtlLeaveCriticalSection.NTDLL(?), ref: 00C7703B
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CriticalSection$AddressCurrentEnterHandleModuleProcThread$ExceptionFilterLeaveUnhandled
        • String ID: %$%$RtlCaptureContext$kernel32
        • API String ID: 1833656116-3470988165
        • Opcode ID: 5bf719439d27299dea8f17d6e91bb133e29bc901412eed257c8a0829832dd647
        • Instruction ID: 5b0c14b9d4c3665164b9b736c188f4db34ea087abfd1b16dacfa5ba13267a5b3
        • Opcode Fuzzy Hash: 5bf719439d27299dea8f17d6e91bb133e29bc901412eed257c8a0829832dd647
        • Instruction Fuzzy Hash: 2C914B71508744AFD720DF64CC45FABB7E8FB88714F108A1DF29997290DB75A604CB62
        Function 00C6D000 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 221processpipeCOMMON
        Download Yara Rule
        APIs
        • CreatePipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,05A2C2A1), ref: 00C6D0A0
        • CreateProcessW.KERNEL32(00000000,-00000004,00000000,00000000,00000001,00000010,00000000,00000000,?,?,?,?,?,?,?,00CDC25D), ref: 00C6D160
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Create$PipeProcess
        • String ID: D
        • API String ID: 759506453-2746444292
        • Opcode ID: ad4ee761b4676597d7171a33a1dce96bcda76b72926dca3fe4b7d1eac31a32cc
        • Instruction ID: ed6eb58e878b42d35705490663f14a7664eb4c9f65081d496c02dc015a7c4c08
        • Opcode Fuzzy Hash: ad4ee761b4676597d7171a33a1dce96bcda76b72926dca3fe4b7d1eac31a32cc
        • Instruction Fuzzy Hash: C0810AB16083809FD730DF59D980B9BB7E9BF89704F404A1DF29A87251D7749944CB63
        Function 00CA7A80 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148libraryloaderCOMMON
        Download Yara Rule
        APIs
        • GetModuleHandleA.KERNEL32(kernel32,00000003,?,?,00CB9C4E,secur32.dll), ref: 00CA7A8A
        • GetProcAddress.KERNEL32(00000000,LoadLibraryExA), ref: 00CA7AA2
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: AddressHandleModuleProc
        • String ID: AddDllDirectory$LoadLibraryExA$kernel32
        • API String ID: 1646373207-3327535076
        • Opcode ID: 6f5ff3451b400061f8375d27c17e2d586cda5a1eee83138fab6732c8052e7ea7
        • Instruction ID: 820f805e604277fea894d4b5a384eaabde67098c326a763c803c81cd5e24c706
        • Opcode Fuzzy Hash: 6f5ff3451b400061f8375d27c17e2d586cda5a1eee83138fab6732c8052e7ea7
        • Instruction Fuzzy Hash: 0041187234A3465FD3115B287C48FAA7798EF86736F14427AFA12CB251DF61CA0886F0
        Function 00C64130 Relevance: 16.8, APIs: 11, Instructions: 257commemoryCOMMON
        Download Yara Rule
        APIs
        • OleUninitialize.OLE32 ref: 00C641D2
        • OleInitialize.OLE32(00000000), ref: 00C641E0
        • GetWindowTextLengthW.USER32(?), ref: 00C641E7
        • GetWindowTextW.USER32(?,00000000,00000001), ref: 00C6423E
        • SetWindowTextW.USER32(?,00CE5924), ref: 00C6424A
        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00C64266
        • GlobalFix.KERNEL32(00000000), ref: 00C64282
        • GlobalUnWire.KERNEL32(00000000), ref: 00C6429D
        • SysFreeString.OLEAUT32(00000000), ref: 00C642D5
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: GlobalTextWindow$AllocFreeInitializeLengthStringUninitializeWire
        • String ID:
        • API String ID: 1289996212-0
        • Opcode ID: 07b7289908bbd61c04f313a7f2ae34c5cbb3074d26992d83469a56e8176891ba
        • Instruction ID: 23015487910356325a62b12f4222ec9fe85f22690edd427f965c2032e3f239d4
        • Opcode Fuzzy Hash: 07b7289908bbd61c04f313a7f2ae34c5cbb3074d26992d83469a56e8176891ba
        • Instruction Fuzzy Hash: 7D918D75900245AFDB25DFA4CCD4FAEBBB8EF49310F244619F912A7290DB74AE41CB60
        Function 00C4FD30 Relevance: 16.6, APIs: 11, Instructions: 97COMMON
        Download Yara Rule
        APIs
        • GetActiveWindow.USER32 ref: 00C4FD7A
        • GetParent.USER32(?), ref: 00C4FD86
        • GetCapture.USER32 ref: 00C4FD8E
        • IsWindow.USER32(00000000), ref: 00C4FDA0
        • IsWindow.USER32(00000000), ref: 00C4FDA7
        • SetCapture.USER32(?), ref: 00C4FDB5
        • InvalidateRect.USER32(?,00000000,00000001), ref: 00C4FDC3
        • ClientToScreen.USER32(?,?), ref: 00C4FDED
        • WindowFromPoint.USER32(?,?), ref: 00C4FDFD
        • InvalidateRect.USER32(?,00000000,00000001), ref: 00C4FE1F
        • ReleaseCapture.USER32 ref: 00C4FE2C
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Window$Capture$InvalidateRect$ActiveClientFromParentPointReleaseScreen
        • String ID:
        • API String ID: 54298939-0
        • Opcode ID: f9fd6b176fe2d5b88c471738af30fd1171ffff2ef42ce79d8e4be2620c9ec23e
        • Instruction ID: 3f648353eb466a2889d15079656cf877f292b16ff23ffa681ecfbd31dbffa820
        • Opcode Fuzzy Hash: f9fd6b176fe2d5b88c471738af30fd1171ffff2ef42ce79d8e4be2620c9ec23e
        • Instruction Fuzzy Hash: 23315A752043819FC724DF24D988F2BB7E9FB88711F04892CF89A87661D774E846CB60
        Function 00C38B00 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 310windowCOMMON
        Download Yara Rule
        APIs
        • GetTickCount.KERNEL32 ref: 00C38B2D
        • PeekMessageW.USER32(?,00000000,00000400,00000400,00000000), ref: 00C38B52
          • Part of subcall function 00C68EC0: IsUserAnAdmin.SHELL32 ref: 00C68EC0
        • SendMessageW.USER32(?,000007E9,00000000,00000000), ref: 00C38C10
        • SendMessageW.USER32(?,000007E9,00000000,00000000), ref: 00C38F49
          • Part of subcall function 00C376B0: Sleep.KERNEL32(00000064,?,00000000), ref: 00C37832
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Message$Send$AdminCountPeekSleepTickUser
        • String ID: browsersTerminated$installer$postMG
        • API String ID: 136132124-1007714630
        • Opcode ID: 4708525f1f7c71d5ed37b866086fdbafe32976a8cd366712a0751f5e17080cd7
        • Instruction ID: ad8183b437ae2d479781861df7737b83f78b1ba6a105d88ff01a7de69074bcae
        • Opcode Fuzzy Hash: 4708525f1f7c71d5ed37b866086fdbafe32976a8cd366712a0751f5e17080cd7
        • Instruction Fuzzy Hash: 18B1C6B06183809FDB14FBB0D896B6FB7D9AFC4300F00491DF1965B2D2DE759908AB66
        Function 00C5B9C0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 128comCOMMON
        Download Yara Rule
        APIs
        • GetStockObject.GDI32 ref: 00C5BA30
        • GetStockObject.GDI32(0000000D), ref: 00C5BA38
        • GetObjectW.GDI32(00000000,0000005C,?), ref: 00C5BA4A
        • 73A1A570.USER32(?), ref: 00C5BAAA
        • OleCreateFontIndirect.OLEAUT32(?), ref: 00C5BB2A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Object$Stock$A570CreateFontIndirect
        • String ID:
        • API String ID: 3222375704-3916222277
        • Opcode ID: d9dece6dcc7115db4aec284932041a35af2939ed69a88e8e2e88068615411038
        • Instruction ID: 198da57cd3f63d5676242e0789fb4efa888d4ed1564e0af35d8b0e327f1ae816
        • Opcode Fuzzy Hash: d9dece6dcc7115db4aec284932041a35af2939ed69a88e8e2e88068615411038
        • Instruction Fuzzy Hash: B9418B755083459FD720DF65C881B6FBBE8BF88341F004919F995DB280EB74DA48CB66
        Function 00C5E4F0 Relevance: 15.3, APIs: 10, Instructions: 319COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ColorWindow
        • String ID:
        • API String ID: 4045458706-0
        • Opcode ID: 80ed6198826515a18988867700a06580bf76bd70929c955159eee800b9ad5808
        • Instruction ID: cdcab8520dd4c8c0d8da25be9d788b8fb5f5181b5b04f642d8aba58d85c4b8b3
        • Opcode Fuzzy Hash: 80ed6198826515a18988867700a06580bf76bd70929c955159eee800b9ad5808
        • Instruction Fuzzy Hash: F4B1BE786043019FD718DF18C884B6EB7E9AF89711F04891CFD948B291DB74EE89CB66
        Function 00C42450 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 332COMMON
        Download Yara Rule
        APIs
        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00C428F9
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Ios_base_dtorstd::ios_base::_
        • String ID: <?xml version="1.0" encoding="UTF-8"?>$action$afterInstallMg$file_name$mediagetInstaller$resaller$statVersion
        • API String ID: 323602529-1959298732
        • Opcode ID: a4c49ac967da14e6f29e61eba1a22fc2eba80698962fda98422cd468f5a559b3
        • Instruction ID: e442db3ad5caafdb6b27d5c19e0fabd2f3c0db3c130da3d21d1a41aa437f781d
        • Opcode Fuzzy Hash: a4c49ac967da14e6f29e61eba1a22fc2eba80698962fda98422cd468f5a559b3
        • Instruction Fuzzy Hash: E4C1C4B59583C0ABC221EB649C46B9FB7E87F98304F844D1DF5D853242EB7491089B63
        Function 00C41F70 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 332COMMON
        Download Yara Rule
        APIs
        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00C42419
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Ios_base_dtorstd::ios_base::_
        • String ID: <?xml version="1.0" encoding="UTF-8"?>$action$beforeDownloadMg$file_name$mediagetInstaller$resaller$statVersion
        • API String ID: 323602529-4086661649
        • Opcode ID: 8a2be0c07895c0f111e2284d50f5e00eb40fd565dbec99a58e53df2b018ad501
        • Instruction ID: 62fff7743c7dc29cee678d88725f2e1c076eb9715b59d764473519f689502b5a
        • Opcode Fuzzy Hash: 8a2be0c07895c0f111e2284d50f5e00eb40fd565dbec99a58e53df2b018ad501
        • Instruction Fuzzy Hash: 2DC1B6B59583C0ABC221EB649C46B9FB7E8BF98304F444D1DF5D853242EBB5920C9B63
        Function 00C43F60 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 245sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNEL32(00000064,?,?,https://install.mediaget.com/index2.php,00000027,00000000,00000000,00000000,00000000,?,00000000,statVersion,0000000B,action,00000006,crash), ref: 00C44252
        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00C442EF
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Ios_base_dtorSleepstd::ios_base::_
        • String ID: <?xml version="1.0" encoding="UTF-8"?>$action$crash$https://install.mediaget.com/index2.php$mediagetInstaller$statVersion
        • API String ID: 4130776848-2957850286
        • Opcode ID: 591852b63fca1ae89e7edd52b7d44cf55e0d79207efa2755deae02ea81921fc1
        • Instruction ID: 326356da66016fbc5d0eac8a005c3f698426a6bab0f75711eb2ea5f1f4df667c
        • Opcode Fuzzy Hash: 591852b63fca1ae89e7edd52b7d44cf55e0d79207efa2755deae02ea81921fc1
        • Instruction Fuzzy Hash: 05A182B18483C1AAD334EB64D886B9FF7E8BF94304F44092EF59953242EB749508CB63
        Function 00CBD2B0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON
        Download Yara Rule
        APIs
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CBD2F0
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CBD320
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CBD37F
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CBD3B1
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
        • String ID: %2I64d:%02I64d:%02I64d$%3I64dd %02I64dh$%7I64dd$--:--:--
        • API String ID: 885266447-1858174321
        • Opcode ID: f30a20a1a60ab1822c0e4fbce17129879dc586344f6db418295cf63afc332a9a
        • Instruction ID: 2daf4377d2839abe6ebad5670d3c13be0072e782d919d3f3a6120c70ee4e425d
        • Opcode Fuzzy Hash: f30a20a1a60ab1822c0e4fbce17129879dc586344f6db418295cf63afc332a9a
        • Instruction Fuzzy Hash: 82315D763447447FE220AA69AC82FBF77DDDBC1F44F054529F604AB2D3E5A1EC0186A1
        Function 00C382E0 Relevance: 13.9, APIs: 1, Strings: 8, Instructions: 412sleepCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C3B030: std::_String_base::_Xlen.LIBCPMT ref: 00C3B08C
          • Part of subcall function 00C51E60: GetCurrentThreadId.KERNEL32 ref: 00C51F0D
          • Part of subcall function 00C51E60: SendMessageW.USER32(00000000), ref: 00C51F2E
          • Part of subcall function 00C51E60: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C51F44
          • Part of subcall function 00C51E60: Sleep.KERNEL32(00000064), ref: 00C51F52
          • Part of subcall function 00C51E60: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C51F5E
        • Sleep.KERNEL32(00000064,00000000,?,00CE2A20,00000002,?,?,?), ref: 00C387E5
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Message$PeekSleep$CurrentSendString_base::_ThreadXlenstd::_
        • String ID: 8$@$addFilesAssociations$addFirewallExceptionCheck$addWindowsAutostart$checked$playerCheck$soft_ok
        • API String ID: 3933562471-2272647988
        • Opcode ID: b7510688dc43b37957a552af274183f05b3feb6c7a4bc5ed9b9a7f8262337f14
        • Instruction ID: 4f3ffbfd6fa81cdfdacf5f51d6b8b015bb682d8f32b828014d1587550d096400
        • Opcode Fuzzy Hash: b7510688dc43b37957a552af274183f05b3feb6c7a4bc5ed9b9a7f8262337f14
        • Instruction Fuzzy Hash: F7029AB18183C09FE320DF65D481B5BBBE5AF88704F44492EF19957292DBB5D908CB63
        Function 00C45790 Relevance: 13.8, APIs: 1, Strings: 8, Instructions: 347sleepCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C3AD10: std::_String_base::_Xlen.LIBCPMT ref: 00C3AD4A
          • Part of subcall function 00C3AD10: std::_String_base::_Xlen.LIBCPMT ref: 00C3AD61
        • Sleep.KERNEL32(00000064,?,?,00000000,00000000,00000000,00000000), ref: 00C45BC9
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: String_base::_Xlenstd::_$Sleep
        • String ID: &signature=$&soft=mediaget$&status=$&url=$749c4eeb900d5b934e55da9081b1b685$?bbls_client_id=$http://sub2.bubblesmedia.ru/client/mediaget_install$yes
        • API String ID: 3562441592-397168707
        • Opcode ID: 78e43424c9c4228218408a84f55d92ad0a247688cdb3b55aab86ef8ea1147cf8
        • Instruction ID: 857aa7d91aecf4b682ea07167a0dba40eff4eb454d3da4f64afe5ab64c5338ee
        • Opcode Fuzzy Hash: 78e43424c9c4228218408a84f55d92ad0a247688cdb3b55aab86ef8ea1147cf8
        • Instruction Fuzzy Hash: 02E16DB18093819BD331EB65D881B9BFBE8BF94704F444E2EF1D942292E7709504DBA3
        Function 00C50710 Relevance: 13.6, APIs: 9, Instructions: 103COMMON
        Download Yara Rule
        APIs
        • GetParent.USER32(?), ref: 00C5071D
        • 73A1A570.USER32(00000000), ref: 00C50726
        • GetClientRect.USER32(?,?), ref: 00C50759
        • GetWindowRect.USER32(?,?), ref: 00C50768
        • ScreenToClient.USER32(00000000,?), ref: 00C50774
        • ScreenToClient.USER32(00000000,?), ref: 00C50784
        • SelectObject.GDI32(?,00000000), ref: 00C507BA
        • 73A24D40.GDI32(?,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 00C507EB
        • 73A24D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00C50815
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Client$RectScreen$A570ObjectParentSelectWindow
        • String ID:
        • API String ID: 3512479441-0
        • Opcode ID: c6d1ec0f23c37aea22beae763d5aa7898451c323ecaee5bfed6216067d158a96
        • Instruction ID: 3432275735560723d5f5dbddd376b50709fd83ddc37815db0aa9a8e11e350cd6
        • Opcode Fuzzy Hash: c6d1ec0f23c37aea22beae763d5aa7898451c323ecaee5bfed6216067d158a96
        • Instruction Fuzzy Hash: C931DEB1104345AF9314DF69D9C8E2BBBFCFB8C745B008A1DF99A92210DA70E904CF22
        Function 00C727F0 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 392COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,00000000,00000000,0000008C,00000068,0000089C,00000000,00C56085), ref: 00C68EFB
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00C68F32
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,?,?), ref: 00C68F47
        • _com_issue_errorex.COMSUPP ref: 00C72A1F
        • _com_issue_errorex.COMSUPP ref: 00C72AAE
          • Part of subcall function 00CD5C00: GetErrorInfo.OLEAUT32(00000000,00000000,?,00C76622,00000000,?,00CE68A0,?,HNetCfg.FwRule,00000000), ref: 00CD5C50
        • _com_issue_errorex.COMSUPP ref: 00C72ADE
        • _com_issue_errorex.COMSUPP ref: 00C72B0E
        • _com_issue_errorex.COMSUPP ref: 00C72B5A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: _com_issue_errorex$ByteCharMultiWide$ErrorInfo
        • String ID: HNetCfg.FwPolicy2$HNetCfg.FwRule
        • API String ID: 2267157010-590769273
        • Opcode ID: d3344c66833ceae69242e88783bdefc40d9e79f38407c461d9c0d201bcec77c2
        • Instruction ID: 7671a8c077eb960e062cd9fd92dc3cdbcf2b00d842013857d92e7d3a86458206
        • Opcode Fuzzy Hash: d3344c66833ceae69242e88783bdefc40d9e79f38407c461d9c0d201bcec77c2
        • Instruction Fuzzy Hash: 02D1B2B1E00248AFCF10EFA4C881ADEBBB5AF58314F54816EF60DA7341D7359A45DBA1
        Function 00C376B0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 360sleepCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C6C650: GetTempPathW.KERNEL32(00000104,?,05A2C2A1,?,?), ref: 00C6C6D8
          • Part of subcall function 00C3B030: std::_String_base::_Xlen.LIBCPMT ref: 00C3B08C
          • Part of subcall function 00C6E5C0: FindResourceW.KERNEL32(00000000,?,?,?,?,0000000F,00000000,?,?,ARCHIVE_7Z,0000000A,?,00000010,00000000), ref: 00C6E62E
        • Sleep.KERNEL32(00000064,?,00000000), ref: 00C37832
          • Part of subcall function 00C68F50: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,?,?,?,00000000,?), ref: 00C68FBD
        • SetForegroundWindow.USER32(?), ref: 00C37BAE
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CreateFileFindForegroundPathResourceSleepString_base::_TempWindowXlenstd::_
        • String ID: ADMIN-PROXY$ARCHIVE_7Z$addFirewallExceptionCheck$admin-proxy.7z$checked
        • API String ID: 1219432678-629822595
        • Opcode ID: 048a68015624ad75e56085123efd207826b044dc9a74af8292aeef1e787915c5
        • Instruction ID: 07429ba9e0222dd9499021bb3752390c0b969e43c578f4e431c338c382497a3c
        • Opcode Fuzzy Hash: 048a68015624ad75e56085123efd207826b044dc9a74af8292aeef1e787915c5
        • Instruction Fuzzy Hash: 3AE18DB180C3C09AD731EB64D885B9FBBE8AF95304F044E1EF1D946242EB759548DBA3
        Function 00C41BA0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 253COMMON
        Download Yara Rule
        APIs
        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00C41F39
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Ios_base_dtorstd::ios_base::_
        • String ID: <?xml version="1.0" encoding="UTF-8"?>$action$file_name$mediagetInstaller$start$statVersion
        • API String ID: 323602529-1832769038
        • Opcode ID: 907ac41908feb5a5ed8ea509736afeeb980f24db0d8cd65c6dd0925366d44f7b
        • Instruction ID: 6a1eb47a4bfcb9437db5e7d15f29c502a727d9f015a4703b5e2c83a3b19f691e
        • Opcode Fuzzy Hash: 907ac41908feb5a5ed8ea509736afeeb980f24db0d8cd65c6dd0925366d44f7b
        • Instruction Fuzzy Hash: 2CA1B2B59583C0ABC321EB649C46B9FB7E8BF98704F444D2DF5D953242EB7492088B63
        Function 00C73110 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 246COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: __aulldiv__aulldvrm
        • String ID: %d%s$%d%s%d%s
        • API String ID: 2518046130-1634263421
        • Opcode ID: 68516c65a608681d50f0b1eaa98d993b6f92333c3fa77c00a1e8da5350ae615d
        • Instruction ID: eef3ae24d75189f7a38c6b5595c079897d7ad0b49ea0347a4d6abbee5a6c67fe
        • Opcode Fuzzy Hash: 68516c65a608681d50f0b1eaa98d993b6f92333c3fa77c00a1e8da5350ae615d
        • Instruction Fuzzy Hash: 0391F9B1908380ABD720EF65C885B5FB7E5ABC4704F44492EF58C97382EB759904DBA3
        Function 00C73950 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 200fileCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00C73AA5
        • WriteFile.KERNEL32(00000000,test data,test data,?,00000000), ref: 00C73B29
        • CloseHandle.KERNEL32(00000000), ref: 00C73B73
        • DeleteFileW.KERNEL32(?), ref: 00C73B84
        • DeleteFileW.KERNEL32(?), ref: 00C73B8F
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: File$Delete$CloseCreateHandleWrite
        • String ID: -tmp-%d.tmp$test data
        • API String ID: 4023221640-3021884096
        • Opcode ID: 03e3fd8ba8d1f7b2f5f7c51cb019a0d74d498c316fb5089ca12bafb0a15f5bb9
        • Instruction ID: 0ea925629174ff2d229320a0f147c7da7be2982b288b91aaa1b27780a6d9196c
        • Opcode Fuzzy Hash: 03e3fd8ba8d1f7b2f5f7c51cb019a0d74d498c316fb5089ca12bafb0a15f5bb9
        • Instruction Fuzzy Hash: E261D2B15083809BD710DF64DC85F6BB7E8AB94704F44492EF68997241DB34EA08DBA3
        Function 00C54CE0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 195pipeCOMMON
        Download Yara Rule
        APIs
        • CreateNamedPipeW.KERNEL32(?,00000002,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 00C54DB2
        • GetLastError.KERNEL32(?,?,\\.\pipe\,00000000,05A2C2A1,?,00000000,0000000F,00000000), ref: 00C54DBC
        • CreateNamedPipeW.KERNEL32(?,00000001,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 00C54EA6
        • GetLastError.KERNEL32(?,?,\\.\pipe\,00000000,05A2C2A1,?,00000000,0000000F,00000000), ref: 00C54EB0
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,00000000,00000000,0000008C,00000068,0000089C,00000000,00C56085), ref: 00C68EFB
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00C68F32
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharCreateErrorLastMultiNamedPipeWide
        • String ID: -admin-proxy-pipe-in$-admin-proxy-pipe-out$\\.\pipe\
        • API String ID: 2196609083-801823924
        • Opcode ID: 7db6237d760649153ce7bcc71b533fd78ed9e2c9d6be37c923840f79be89c9f2
        • Instruction ID: 68f444008523a5585c5d6c6459a7224283751c137d548be9c255879b6bf4fa3e
        • Opcode Fuzzy Hash: 7db6237d760649153ce7bcc71b533fd78ed9e2c9d6be37c923840f79be89c9f2
        • Instruction Fuzzy Hash: 3D51F6B6508380AFD310EFA4DC82A1BF3E9EB84715F404A2EF55583281DB75D948DB27
        Function 00C88D30 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 174sleepthreadCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C68C40: CreateToolhelp32Snapshot.KERNEL32 ref: 00C68C62
          • Part of subcall function 00C68C40: Process32FirstW.KERNEL32(00000000,00000010), ref: 00C68C77
        • Sleep.KERNEL32(000003E8,00000000,?,00000000,000000FF), ref: 00C88EAC
        • Sleep.KERNEL32(000003E8), ref: 00C88F75
        • TerminateThread.KERNEL32(?,00000002), ref: 00C88F81
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Sleep$CreateFirstProcess32SnapshotTerminateThreadToolhelp32
        • String ID: ; No fusion process$; Stage: $fusion-bundle.exe$fusion-cancel
        • API String ID: 3243831205-826279003
        • Opcode ID: 7d9c004fd8a63bae063c47c3abc9718ab0dcbdb65438c9b11503f3c05d84ee35
        • Instruction ID: cc1038e9c1a340775a13e88f216d978e89defa343aec9906fe4b68a591373c16
        • Opcode Fuzzy Hash: 7d9c004fd8a63bae063c47c3abc9718ab0dcbdb65438c9b11503f3c05d84ee35
        • Instruction Fuzzy Hash: 385113B5508380AFD710EF50D885B1BB7E4AF84708F440A2DF595562C2EB78EA09CBA7
        Function 00C881D0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 96windowCOMMON
        Download Yara Rule
        APIs
        • CreateWindowExW.USER32(00000000,Static,00CEA6F4,5000010E,00000172,00000104,000000B2,00000026,?,00000000,00000000,00000000), ref: 00C88220
        • GetModuleHandleW.KERNEL32(00000000,?,00000000,00000000,00000000,00000010), ref: 00C882CD
        • LoadImageW.USER32(00000000), ref: 00C882D4
        • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00C882E9
          • Part of subcall function 00C6C650: GetTempPathW.KERNEL32(00000104,?,05A2C2A1,?,?), ref: 00C6C6D8
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,00000000,00000000,0000008C,00000068,0000089C,00000000,00C56085), ref: 00C68EFB
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00C68F32
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiWide$CreateHandleImageLoadMessageModulePathSendTempWindow
        • String ID: Static$img\install-fusion-en.bmp$img\install-fusion-ru.bmp
        • API String ID: 3001717624-4127920877
        • Opcode ID: c71d5be138cc7ff6c03a09e110f119b97e11cff6ea11282448171cab9ef823b7
        • Instruction ID: 6178211af65bd4b4dd6aaaccbe5641ef1918520e95625e5d8a1645cfe2a69f45
        • Opcode Fuzzy Hash: c71d5be138cc7ff6c03a09e110f119b97e11cff6ea11282448171cab9ef823b7
        • Instruction Fuzzy Hash: 0431E4B1648340BFE320EF68DD4AF5B77A8AB44B04F444909F245AA2D1DBB5E8048B67
        Function 00C88320 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 96windowCOMMON
        Download Yara Rule
        APIs
        • CreateWindowExW.USER32(00000000,Static,00CEA744,5000010E,0000006E,00000104,000000B2,00000026,?,00000000,00000000,00000000), ref: 00C8836D
        • GetModuleHandleW.KERNEL32(00000000,?,00000000,00000000,00000000,00000010), ref: 00C8841A
        • LoadImageW.USER32(00000000), ref: 00C88421
        • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00C88436
          • Part of subcall function 00C6C650: GetTempPathW.KERNEL32(00000104,?,05A2C2A1,?,?), ref: 00C6C6D8
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,00000000,00000000,0000008C,00000068,0000089C,00000000,00C56085), ref: 00C68EFB
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00C68F32
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiWide$CreateHandleImageLoadMessageModulePathSendTempWindow
        • String ID: Static$img\cancel-fusion-en.bmp$img\cancel-fusion-ru.bmp
        • API String ID: 3001717624-1370779823
        • Opcode ID: efcc0d902b6e85297eecdb1614ae893df1ebb61b803acd7baf19ba3732de215a
        • Instruction ID: bcb50e0b0d8a5cafd837c2624be5808d48329994d5bd5d287aaebf1b31904dc2
        • Opcode Fuzzy Hash: efcc0d902b6e85297eecdb1614ae893df1ebb61b803acd7baf19ba3732de215a
        • Instruction Fuzzy Hash: 4B31C4B1648340AFE310EB64DD8AF5B77E8AB84B04F404919F2459A2D1DBB5E8448B67
        Function 00C57A40 Relevance: 12.2, APIs: 8, Instructions: 241commemoryCOMMON
        Download Yara Rule
        APIs
        • OleUninitialize.OLE32 ref: 00C57AE2
        • OleInitialize.OLE32(00000000), ref: 00C57AF0
        • GetWindowTextLengthW.USER32(?), ref: 00C57AF7
        • GetWindowTextW.USER32(?,00000000,00000001), ref: 00C57B4E
        • SetWindowTextW.USER32(?,00CE5924), ref: 00C57B5A
        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00C57B76
        • GlobalFix.KERNEL32(00000000), ref: 00C57B90
        • GlobalUnWire.KERNEL32(00000000), ref: 00C57BAB
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: GlobalTextWindow$AllocInitializeLengthUninitializeWire
        • String ID:
        • API String ID: 348548121-0
        • Opcode ID: 0dedc8ba978dc55fc49e3f699a1e91367d4e554b1bbb434188e0fa17a01f2e40
        • Instruction ID: e87a188e139847f1d8e1ee0eec1ca4537b6258d927c8d922d1c92e82967e6537
        • Opcode Fuzzy Hash: 0dedc8ba978dc55fc49e3f699a1e91367d4e554b1bbb434188e0fa17a01f2e40
        • Instruction Fuzzy Hash: 1F818E79904245AFDB10DF68DC84FAEBBB8EF48301F144659F912E7291DA34AE84CB64
        Function 00C63E80 Relevance: 12.2, APIs: 8, Instructions: 241commemoryCOMMON
        Download Yara Rule
        APIs
        • OleUninitialize.OLE32 ref: 00C63F22
        • OleInitialize.OLE32(00000000), ref: 00C63F30
        • GetWindowTextLengthW.USER32(?), ref: 00C63F37
        • GetWindowTextW.USER32(?,00000000,00000001), ref: 00C63F8E
        • SetWindowTextW.USER32(?,00CE5924), ref: 00C63F9A
        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00C63FB6
        • GlobalFix.KERNEL32(00000000), ref: 00C63FD0
        • GlobalUnWire.KERNEL32(00000000), ref: 00C63FEB
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: GlobalTextWindow$AllocInitializeLengthUninitializeWire
        • String ID:
        • API String ID: 348548121-0
        • Opcode ID: bfef05ce1c2bd20bdde91fe70a6be6cfcb30ae260f0d8710b3fb00081e799ecb
        • Instruction ID: 493b8bdee2af7dfcf9a8302aaa6790a55e29612d0fdfb2bee37fb8059f5cb30b
        • Opcode Fuzzy Hash: bfef05ce1c2bd20bdde91fe70a6be6cfcb30ae260f0d8710b3fb00081e799ecb
        • Instruction Fuzzy Hash: 0D818B75900245AFDB24DFA8CC84FAEBBB8EF49300F144659F916E7291DB34AE41CB60
        Function 00CC5360 Relevance: 12.2, APIs: 8, Instructions: 202sleepnetworkCOMMON
        Download Yara Rule
        APIs
        • WSASetLastError.WS2_32(00002726,?,?,?), ref: 00CC53C7
        • Sleep.KERNEL32(?,?,?,?), ref: 00CC53DA
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ErrorLastSleep
        • String ID:
        • API String ID: 1458359878-0
        • Opcode ID: 9752da09feabd0b88e1476bb7deb2f1e7173072634aed04cc1e9e4968b088d4a
        • Instruction ID: ae366de8d9564d7fa8f2b00eedd34111655a008221ea0a93544c7aca78e1282e
        • Opcode Fuzzy Hash: 9752da09feabd0b88e1476bb7deb2f1e7173072634aed04cc1e9e4968b088d4a
        • Instruction Fuzzy Hash: 3F51A671904B454BD738DE68D880BBEB3D9AB84322F540A3EE979C21D0D735EAC58692
        Function 00C5F5E0 Relevance: 12.2, APIs: 8, Instructions: 188COMMON
        Download Yara Rule
        APIs
        • VariantInit.OLEAUT32(?), ref: 00C5F686
        • VariantClear.OLEAUT32(?), ref: 00C5F6FA
        • VariantInit.OLEAUT32(?), ref: 00C5F734
        • VariantChangeType.OLEAUT32 ref: 00C5F748
        • VariantClear.OLEAUT32(?), ref: 00C5F76F
        • VariantClear.OLEAUT32(?), ref: 00C5F78B
        • VariantClear.OLEAUT32(?), ref: 00C5F7BE
        • VariantClear.OLEAUT32(?), ref: 00C5F7DA
          • Part of subcall function 00C69BF0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C69C1F
          • Part of subcall function 00C69BF0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000000,00000000,00000000), ref: 00C69C3E
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Variant$Clear$ByteCharInitMultiWide$ChangeType
        • String ID:
        • API String ID: 3063415910-0
        • Opcode ID: 01d82d4bdef2dc17fd5156ab0f9a4e33fd1c86be5d7fc7dce5919714b255713f
        • Instruction ID: 3da221e831df7942542a3dee71901d9f491730ae22ad20c25bb241423595cb63
        • Opcode Fuzzy Hash: 01d82d4bdef2dc17fd5156ab0f9a4e33fd1c86be5d7fc7dce5919714b255713f
        • Instruction Fuzzy Hash: A7617DB66083819FC714DF58D8C0A1BB7E9FB88710F104A2EF5A5C7251D775E909CBA2
        Function 00C623E0 Relevance: 12.1, APIs: 8, Instructions: 129registryCOMMON
        Download Yara Rule
        APIs
        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C62427
        • RegCloseKey.ADVAPI32(?,?,?,00000000,?,?), ref: 00C6243E
        • RegEnumKeyExW.ADVAPI32(?,00000000), ref: 00C62486
        • RegEnumKeyExW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 00C624C6
        • RegCloseKey.ADVAPI32(?), ref: 00C624D5
        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00C624EB
        • RegCloseKey.ADVAPI32(?,?,?,00000000,?,?), ref: 00C624FC
        • RegCloseKey.ADVAPI32(?), ref: 00C62524
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Close$Enum$DeleteOpen
        • String ID:
        • API String ID: 3743465055-0
        • Opcode ID: d63abf891f6385a9fa45a490de0b41613ba8b1763f0d0a9687f2a871a1cec4ee
        • Instruction ID: c71afb55e052d7f57bb37b557fa52817398ad5c08cc2b4b4e1b4bb7d127492ea
        • Opcode Fuzzy Hash: d63abf891f6385a9fa45a490de0b41613ba8b1763f0d0a9687f2a871a1cec4ee
        • Instruction Fuzzy Hash: AE412A71608640ABC724DF59D884E6FF7E9EBC8750F148A1EF99AD3254DB30D904CB62
        Function 00C500C0 Relevance: 12.1, APIs: 8, Instructions: 112COMMON
        Download Yara Rule
        APIs
        • SelectObject.GDI32(00000000,?), ref: 00C50149
        • SelectObject.GDI32(00000000,?), ref: 00C50161
        • 73A24D40.GDI32(?,?,?,?,?,00000000,00000000,00000000,008800C6), ref: 00C5018E
        • 73A24D40.GDI32(?,?,?,?,00000000,00000000,00000000,00000000,00EE0086,?,00000000,00000000,00000000,008800C6), ref: 00C501B7
        • SelectObject.GDI32(00000000,?), ref: 00C501C9
        • SelectObject.GDI32(00000000,?), ref: 00C501D1
        • DeleteDC.GDI32(00000000), ref: 00C501DE
        • DeleteDC.GDI32(00000000), ref: 00C501E5
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ObjectSelect$Delete
        • String ID:
        • API String ID: 119191458-0
        • Opcode ID: fe563417ea645cbedb7444557afbf7a1395fee0fa033aa422db03fb05701d1c0
        • Instruction ID: 7446e576d26a8d84352018c584761fdaebb57d5339d4e1f9c6b5d6a4c97ced5b
        • Opcode Fuzzy Hash: fe563417ea645cbedb7444557afbf7a1395fee0fa033aa422db03fb05701d1c0
        • Instruction Fuzzy Hash: FF415B76204304AFD650DF68DC84F6BB7ECEBC8704F10890EFA55D7290C671A94ACBA2
        Function 00C5AF90 Relevance: 12.1, APIs: 8, Instructions: 87COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: A570
        • String ID:
        • API String ID: 2526173095-0
        • Opcode ID: abce0ed31d664cc0ff89831177427b0858406a508e93ab51489433b5c0b4e695
        • Instruction ID: f2968ba6568ed14f38c7412ba2252b879a5d4254e551808a352afded2da0a9e1
        • Opcode Fuzzy Hash: abce0ed31d664cc0ff89831177427b0858406a508e93ab51489433b5c0b4e695
        • Instruction Fuzzy Hash: B631EEB52042029FD324DF68C988B6FBBACEF84311F004948FD658A291E770DD84CBA9
        Function 00C64F20 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 162stringCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C5A900: RtlInitializeCriticalSection.NTDLL ref: 00C5A93B
        • GetModuleHandleW.KERNEL32(00000000), ref: 00C65050
          • Part of subcall function 00C5A8B0: lstrlenW.KERNEL32(?), ref: 00C5A8B6
        • lstrlenW.KERNEL32(?), ref: 00C650B5
          • Part of subcall function 00C62730: RtlEnterCriticalSection.NTDLL(?), ref: 00C6273F
          • Part of subcall function 00C62730: RtlLeaveCriticalSection.NTDLL(?), ref: 00C62750
          • Part of subcall function 00C62730: RtlDeleteCriticalSection.NTDLL(?), ref: 00C62761
        • GetModuleFileNameW.KERNEL32(00C30000,?,00000104), ref: 00C64FEA
          • Part of subcall function 00C62EC0: RtlEnterCriticalSection.NTDLL(?), ref: 00C62EFC
          • Part of subcall function 00C62EC0: RtlLeaveCriticalSection.NTDLL(?), ref: 00C62F19
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CriticalSection$EnterLeaveModulelstrlen$DeleteFileHandleInitializeName
        • String ID: Module$Module_Raw$REGISTRY
        • API String ID: 1310854044-549000027
        • Opcode ID: 14b8654b289f4b6915961aab36e09b8bbbba7c19eab8b0d9bcaa80372f2c4f97
        • Instruction ID: 6f939bb8df4c443d587f1a8d25cb4d3e102040767ce36431edf2013c244d7490
        • Opcode Fuzzy Hash: 14b8654b289f4b6915961aab36e09b8bbbba7c19eab8b0d9bcaa80372f2c4f97
        • Instruction Fuzzy Hash: 2E5163715087819BC334EF64C8C0A9FB3E5BF99300F544D2DF69A97151DB719A488B93
        Function 00C65170 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 160stringCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C5A900: RtlInitializeCriticalSection.NTDLL ref: 00C5A93B
        • GetModuleHandleW.KERNEL32(00000000), ref: 00C65295
          • Part of subcall function 00C5A8B0: lstrlenW.KERNEL32(?), ref: 00C5A8B6
        • lstrlenW.KERNEL32(?), ref: 00C652FA
          • Part of subcall function 00C62730: RtlEnterCriticalSection.NTDLL(?), ref: 00C6273F
          • Part of subcall function 00C62730: RtlLeaveCriticalSection.NTDLL(?), ref: 00C62750
          • Part of subcall function 00C62730: RtlDeleteCriticalSection.NTDLL(?), ref: 00C62761
        • GetModuleFileNameW.KERNEL32(00C30000,?,00000104), ref: 00C6522F
          • Part of subcall function 00C62EC0: RtlEnterCriticalSection.NTDLL(?), ref: 00C62EFC
          • Part of subcall function 00C62EC0: RtlLeaveCriticalSection.NTDLL(?), ref: 00C62F19
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CriticalSection$EnterLeaveModulelstrlen$DeleteFileHandleInitializeName
        • String ID: Module$Module_Raw$REGISTRY
        • API String ID: 1310854044-549000027
        • Opcode ID: 4a289ca1fdd92f5bb013acc277d78007273e17d5375790a68d53a4a3912ea33e
        • Instruction ID: b0d4ae219df8153b957117d5b0b000f1e84081cd6c5a260702d390ffc78e3121
        • Opcode Fuzzy Hash: 4a289ca1fdd92f5bb013acc277d78007273e17d5375790a68d53a4a3912ea33e
        • Instruction Fuzzy Hash: 0E518DB15087419FC334EF24C8C1AAFB3E4BF98740F544D2DF59A97250EA719A488B93
        Function 00C80110 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 160synchronizationCOMMON
        Download Yara Rule
        APIs
        • WaitForSingleObject.KERNEL32(?,00124F80,05A2C2A1,00000000), ref: 00C80170
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ObjectSingleWait
        • String ID: - $Bundle thread has not finished gracefully - $WAIT_ABANDONED$WAIT_FAILED - $WAIT_TIMEOUT
        • API String ID: 24740636-3605145387
        • Opcode ID: 0af10173153525d5dd86a02a320a088ebbae4f751501c3005275d8dbedb4fcf8
        • Instruction ID: ee7a9a3c9fb439ba48c341741baf122d836d352015e81e192e33173ce7188376
        • Opcode Fuzzy Hash: 0af10173153525d5dd86a02a320a088ebbae4f751501c3005275d8dbedb4fcf8
        • Instruction Fuzzy Hash: 3A519E724083809FD375EB24C886B9FBBE8AF95314F50492DF19D87292DB705948CBA3
        Function 00C577E0 Relevance: 10.6, APIs: 7, Instructions: 147COMMON
        Download Yara Rule
        APIs
        • InvalidateRect.USER32(?,00000000,00000001), ref: 00C577F0
        • GetClientRect.USER32(?,?), ref: 00C577FF
        • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005), ref: 00C578BB
        • SetWindowPos.USER32(?,00000000,00000000,?,?,?,00000004), ref: 00C57954
        • CreateRoundRectRgn.GDI32(00000000,00000000,?,?,0000000F,0000000F), ref: 00C5796D
        • SetWindowRgn.USER32(?,00000000,00000001), ref: 00C5797F
        • DeleteObject.GDI32(00000000), ref: 00C5798A
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: RectWindow$ClientCreateDeleteInvalidateObjectRound
        • String ID:
        • API String ID: 1875782647-0
        • Opcode ID: 4fd604dfca4c34f23ea8f646f04450119117949d9c5eaee66f969468e6a5f0ba
        • Instruction ID: 1b8611db0b26a7a7fae35dfc793fe58f6d055bd803c25127e4d3687f8bbb283a
        • Opcode Fuzzy Hash: 4fd604dfca4c34f23ea8f646f04450119117949d9c5eaee66f969468e6a5f0ba
        • Instruction Fuzzy Hash: B151B5392042019FD724EF68DC89F6A77A4EF84311F154658FD599F286CB30ED84CB65
        Function 00C56670 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 140fileCOMMON
        Download Yara Rule
        APIs
        • ReadFile.KERNEL32(?,?,?,00000000,?,05A2C2A1), ref: 00C566CF
        • GetOverlappedResult.KERNEL32(?,?,?,00000001,?,?,00000000,?,05A2C2A1), ref: 00C566E5
        • GetLastError.KERNEL32(?,?,00000000,?,05A2C2A1), ref: 00C566ED
        • GetOverlappedResult.KERNEL32(?,?,?,00000001,?,?,00000000,?,05A2C2A1), ref: 00C5670A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: OverlappedResult$ErrorFileLastRead
        • String ID: GetOverlappedResult failed: $ReadFile failed:
        • API String ID: 1568971542-2303412416
        • Opcode ID: 1511bd42ff3eaeaa47673bd5b7713468e34675a57cac55ba4624ec58abdbf835
        • Instruction ID: da276a2bad8e550af8c4e2e6003d137bd0440088d3d6ee76da1e6196b6d3bc29
        • Opcode Fuzzy Hash: 1511bd42ff3eaeaa47673bd5b7713468e34675a57cac55ba4624ec58abdbf835
        • Instruction Fuzzy Hash: 8851D1B5508380ABD320DF21CC85F9BB7E9FB84704F404A2DF59987281DB75E548CBA2
        Function 00C564C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 134fileCOMMON
        Download Yara Rule
        APIs
        • GetOverlappedResult.KERNEL32(000000FF,?,?,00000000,05A2C2A1), ref: 00C56517
        • GetLastError.KERNEL32 ref: 00C56521
          • Part of subcall function 00C6D850: FormatMessageW.KERNEL32(00001100,00000000,?,00000800,?,00000000,00000000,?,?,?,0000000F), ref: 00C6D8DF
          • Part of subcall function 00C6D850: GetLastError.KERNEL32(?,?,?,0000000F), ref: 00C6D8E9
          • Part of subcall function 00C6D850: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00C6D98E
        • ReadFile.KERNEL32(000000FF,?,00000004,?,?,05A2C2A1), ref: 00C565B1
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ErrorLast$FileFormatIos_base_dtorMessageOverlappedReadResultstd::ios_base::_
        • String ID: GetOverlappedResult failed: $ReadFile failed:
        • API String ID: 4064563933-2303412416
        • Opcode ID: 351c5e692c5cb67aef19d803b33139f3bf862b0fffb41efa392950f59e18642f
        • Instruction ID: d9cdffeb70d155d7ca6f173b164d93ddf2a7ec0247cde5152bc1be077b649109
        • Opcode Fuzzy Hash: 351c5e692c5cb67aef19d803b33139f3bf862b0fffb41efa392950f59e18642f
        • Instruction Fuzzy Hash: A741E5725087809FD324DF25C881F9BB7ECFB84711F504A2EE59683681EB35A509DBA2
        Function 00C68F50 Relevance: 10.6, APIs: 7, Instructions: 122fileCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,00000000,00000000,0000008C,00000068,0000089C,00000000,00C56085), ref: 00C68EFB
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00C68F32
        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,?,?,?,00000000,?), ref: 00C68FBD
        • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00C68FFF
        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 00C69009
        • ReadFile.KERNEL32(00000000,?,0000FFFF,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C69038
        • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C6905D
        • CloseHandle.KERNEL32(00000000), ref: 00C69082
        • CloseHandle.KERNEL32(00000000), ref: 00C69085
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: File$CloseHandle$ByteCharCreateMultiWide$ReadWrite
        • String ID:
        • API String ID: 2626642813-0
        • Opcode ID: c09ad6403d2ad197018b65b8082fa9ffa96852dfe93b961f6b77711448d01d54
        • Instruction ID: f86034ef46252f5f053fb3ff40db9a7ee4e6cda64374e4f6c55870bf4a3cc50e
        • Opcode Fuzzy Hash: c09ad6403d2ad197018b65b8082fa9ffa96852dfe93b961f6b77711448d01d54
        • Instruction Fuzzy Hash: 213195716443056BE230EB24DC82FAF73DCEF99710F040619F695AB1C1DBB5EE0896A6
        Function 00C88660 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 98windowCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C885F0: LoadCursorW.USER32(00000000,00007F89), ref: 00C88635
          • Part of subcall function 00C885F0: LoadCursorW.USER32(00000000,00007F00), ref: 00C88643
        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000000), ref: 00C886DD
        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C8872B
        • TranslateMessage.USER32(?), ref: 00C88745
        • DispatchMessageW.USER32(?), ref: 00C8874C
        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C88759
        Strings
        • Fail create Fusion window, xrefs: 00C88675
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Message$CursorLoad$DispatchTranslateWindow
        • String ID: Fail create Fusion window
        • API String ID: 3996691576-1488218302
        • Opcode ID: 9f727db78b88b05d46e8d86ffd2045e93c76be64e69ef91c6dbb4e5fea5a6922
        • Instruction ID: af5ce39fc35f8dae606169334ec83316351f5fc080464f492d06a16293ffd58c
        • Opcode Fuzzy Hash: 9f727db78b88b05d46e8d86ffd2045e93c76be64e69ef91c6dbb4e5fea5a6922
        • Instruction Fuzzy Hash: 893160B1604340AFD310EB699D85F6BB7E8AB88704F40491DF585D7681EB70E9058B65
        Function 00C5C950 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
        Download Yara Rule
        APIs
        • SysAllocString.OLEAUT32(?), ref: 00C5C98C
        • SysFreeString.OLEAUT32(00000000), ref: 00C5C9BE
        • SysStringLen.OLEAUT32(?), ref: 00C5C9CF
        • SysStringLen.OLEAUT32(?), ref: 00C5C9DA
        • SysFreeString.OLEAUT32(?), ref: 00C5C9F3
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: String$Free$Alloc
        • String ID:
        • API String ID: 986138563-0
        • Opcode ID: 3f33323c1882cfdc1b90518ef94e63b1bbd72e6ae485f2e1c966d19a3fca18ec
        • Instruction ID: 98712abb901ac9670eb03a41cf3ba349d2a937389553daa588b8c9a625b095bf
        • Opcode Fuzzy Hash: 3f33323c1882cfdc1b90518ef94e63b1bbd72e6ae485f2e1c966d19a3fca18ec
        • Instruction Fuzzy Hash: C021BD766013585FD310DA98EC80E6FB79CFBC8724B00491AFA48D7201C675DD448BE5
        Function 00C6D850 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92windowCOMMON
        Download Yara Rule
        APIs
        • FormatMessageW.KERNEL32(00001100,00000000,?,00000800,?,00000000,00000000,?,?,?,0000000F), ref: 00C6D8DF
        • GetLastError.KERNEL32(?,?,?,0000000F), ref: 00C6D8E9
        • LocalFree.KERNEL32(?), ref: 00C6D951
        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00C6D98E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ErrorFormatFreeIos_base_dtorLastLocalMessagestd::ios_base::_
        • String ID: Error code: $FormatMessage error - code
        • API String ID: 3261245394-2103817664
        • Opcode ID: 954bcc46d84e857d940c210309e32213b9e3c8dc423377ca6762ba9a430e62ed
        • Instruction ID: 8a0279096546216e4162b4977be6233fbfaeb0123d6b90a2b2716ade35df3743
        • Opcode Fuzzy Hash: 954bcc46d84e857d940c210309e32213b9e3c8dc423377ca6762ba9a430e62ed
        • Instruction Fuzzy Hash: 95319675608380ABE324EB64DC46F9F77E8BF84704F00491DF68697291EBB59508CB63
        Function 00C4F680 Relevance: 10.6, APIs: 7, Instructions: 91windowCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C4F570: DeleteObject.GDI32(?), ref: 00C4F592
          • Part of subcall function 00C4F570: DeleteObject.GDI32(?), ref: 00C4F59F
          • Part of subcall function 00C4F570: DeleteObject.GDI32(?), ref: 00C4F5B0
          • Part of subcall function 00C4F570: DeleteObject.GDI32(?), ref: 00C4F5CB
          • Part of subcall function 00C4F570: DeleteObject.GDI32(?), ref: 00C4F5E6
          • Part of subcall function 00C4F570: DeleteObject.GDI32(?), ref: 00C4F601
        • GetIconInfo.USER32(?,?), ref: 00C4F6C3
        • DeleteObject.GDI32(?), ref: 00C4F705
        • DeleteObject.GDI32(?), ref: 00C4F70C
        • GetIconInfo.USER32(?,?), ref: 00C4F738
        • DeleteObject.GDI32(?), ref: 00C4F75D
        • DeleteObject.GDI32(?), ref: 00C4F764
        • IsWindow.USER32(?), ref: 00C4F76A
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: DeleteObject$IconInfo$Window
        • String ID:
        • API String ID: 1247420620-0
        • Opcode ID: 162fed951da802a399313ca28c98525421a7c7ba9190794e734e8960a1ea4493
        • Instruction ID: 370ace252fce781135c95bf491488cbc4518ed2739082c8516d7f3b16f60a07b
        • Opcode Fuzzy Hash: 162fed951da802a399313ca28c98525421a7c7ba9190794e734e8960a1ea4493
        • Instruction Fuzzy Hash: E53129B16083029FD314DF29D980B5BB7E8BF98700F00492EF499C7260EB75E909CBA1
        Function 00C88470 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowCOMMON
        Download Yara Rule
        APIs
        • CreateWindowExW.USER32(00000000,Static,00CEA784,5000010E,00000296,00000005,0000000D,0000000D,?,00000000,00000000,00000000), ref: 00C884BA
          • Part of subcall function 00C6C650: GetTempPathW.KERNEL32(00000104,?,05A2C2A1,?,?), ref: 00C6C6D8
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,00000000,00000000,0000008C,00000068,0000089C,00000000,00C56085), ref: 00C68EFB
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00C68F32
        • GetModuleHandleW.KERNEL32(00000000,?,00000000,00000000,00000000,00000010), ref: 00C88528
        • LoadImageW.USER32(00000000), ref: 00C8852F
        • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00C88544
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiWide$CreateHandleImageLoadMessageModulePathSendTempWindow
        • String ID: Static$img\close-fusion.bmp
        • API String ID: 3001717624-4147091464
        • Opcode ID: ed1fd7ae9a34b8618ea1df5169efbf12c8ab03b0415943495590db38d87dd9ad
        • Instruction ID: 1f7e97b409b618a4822c9c89338b45d3e5490dd894f49793c5eeb0ff620a741a
        • Opcode Fuzzy Hash: ed1fd7ae9a34b8618ea1df5169efbf12c8ab03b0415943495590db38d87dd9ad
        • Instruction Fuzzy Hash: 5121B0B5688340BFF310DF64EC8AF5B77E8EB48B04F504919F649AA2D0D7B5E4048B66
        Function 00C4E250 Relevance: 9.4, APIs: 1, Strings: 5, Instructions: 371sleepCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C6F5F0: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,00000080,00000000), ref: 00C6F670
          • Part of subcall function 00C6F5F0: WriteFile.KERNEL32(00000000,--quit-application,--quit-application,?,00000000), ref: 00C6F69B
          • Part of subcall function 00C6F5F0: CloseHandle.KERNEL32(00000000), ref: 00C6F6A2
          • Part of subcall function 00C6F5F0: WaitForSingleObject.KERNEL32(00000000,00002710,?,?,05A2C2A1,00000010,?,?,00000000), ref: 00C6F6D1
          • Part of subcall function 00C6F5F0: TerminateProcess.KERNEL32(00000000,00000001,?,?,05A2C2A1,00000010,?,?,00000000), ref: 00C6F6DE
          • Part of subcall function 00C6F5F0: WaitForSingleObject.KERNEL32(00000000,00002710,?,?,05A2C2A1,00000010,?,?,00000000), ref: 00C6F6F2
        • Sleep.KERNEL32(00000064,?,?,00000000), ref: 00C4E592
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: FileObjectSingleWait$CloseCreateHandleProcessSleepTerminateWrite
        • String ID: - $Error while unpacking binaries to $Error while unpacking libs to $Not enough free space in target dir $Unable to write in target dir
        • API String ID: 2827360088-3840011116
        • Opcode ID: 588031f13cd56a2b32da6c5d045394ba88efdd48e5aa5a122c12ceafcc0a0e9f
        • Instruction ID: ba639bb4a0d9f04f998ed2fbb7634a704ef4132bddbfcbb474df2d27c1a74f05
        • Opcode Fuzzy Hash: 588031f13cd56a2b32da6c5d045394ba88efdd48e5aa5a122c12ceafcc0a0e9f
        • Instruction Fuzzy Hash: 26D1B5B1509380AFD325EB64D892BAFB7E9BF88704F044D1DF18987242EB75A904D763
        Function 00CBDB20 Relevance: 9.3, APIs: 6, Instructions: 283COMMON
        Download Yara Rule
        APIs
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CBDBB6
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CBDBCC
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CBDC1A
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CBDC4D
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CBDCCE
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CBDE6B
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
        • String ID:
        • API String ID: 885266447-0
        • Opcode ID: bedd32e96451f275500c20d523f24e517784c81d2e296a6eff3d7c4dac59d535
        • Instruction ID: 298a042064b50af3cb04bfcfe969dab30fed36844d5e335e1858bbb182397db3
        • Opcode Fuzzy Hash: bedd32e96451f275500c20d523f24e517784c81d2e296a6eff3d7c4dac59d535
        • Instruction Fuzzy Hash: E4B18D74604B048FE354DF69C480AABBBE5FFC8314F248A2EE56A87351EB71E845CB51
        Function 00C62F50 Relevance: 9.2, APIs: 6, Instructions: 250stringCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C61F00: lstrcmpiW.KERNEL32(?,00004008), ref: 00C61F7E
        • lstrlenW.KERNEL32(?,?), ref: 00C63037
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: lstrcmpilstrlen
        • String ID:
        • API String ID: 3649823140-0
        • Opcode ID: 1228baef1eac34d2da6604bc1a49d7370e50da3337906617e1ecd2112d148227
        • Instruction ID: 9c7f3c1bd4f4cb4237323c211f30cea0953e20966eb858eda4777a8b381286cf
        • Opcode Fuzzy Hash: 1228baef1eac34d2da6604bc1a49d7370e50da3337906617e1ecd2112d148227
        • Instruction Fuzzy Hash: 5A919271A042899BDB34DF64CCD1BEE73B9BF58710F144129EA0A9B281EB749B44C7A1
        Function 00C77480 Relevance: 9.2, APIs: 6, Instructions: 180filethreadCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?), ref: 00C774FD
        • GetCurrentThreadId.KERNEL32 ref: 00C77532
        • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00C775B1
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CreateCurrentFileQueryThreadVirtual
        • String ID:
        • API String ID: 1098341388-0
        • Opcode ID: 2fb1c12afdf5d3b843ba7da60886c628f63d6e20596cefa155405a4d1168f597
        • Instruction ID: 82675f5672c15e61309746efa009f40c59bb1c088d3edcee34155094ec329d65
        • Opcode Fuzzy Hash: 2fb1c12afdf5d3b843ba7da60886c628f63d6e20596cefa155405a4d1168f597
        • Instruction Fuzzy Hash: 7C7126B12083449FD724CF68C880BABBBE9BFC8714F048A1DF99997251D7759A04CB62
        Function 00C64BC0 Relevance: 9.1, APIs: 6, Instructions: 127libraryCOMMON
        Download Yara Rule
        APIs
        • LoadLibraryExW.KERNEL32(?,00000000,00000002,05A2C2A1,?,?,?,?,?,?,?,?,00CDB290,000000FF), ref: 00C64C27
        • FindResourceW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00CDB290,000000FF), ref: 00C64C45
        • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,00CDB290,000000FF), ref: 00C64D1E
          • Part of subcall function 00C5A980: GetLastError.KERNEL32 ref: 00C5A980
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Library$ErrorFindFreeLastLoadResource
        • String ID:
        • API String ID: 3418355812-0
        • Opcode ID: cc85352146908d9d6da53044cd0edbc5d1434e1ae6f1f2ff93891c3195c41769
        • Instruction ID: 9bcd074621050db9dbd94e0923152bb9d5a42086401cadf618b4251e1187898f
        • Opcode Fuzzy Hash: cc85352146908d9d6da53044cd0edbc5d1434e1ae6f1f2ff93891c3195c41769
        • Instruction Fuzzy Hash: 5441B3B1901149EBCB28DF55CC85BEE77B8FF84310F10812AF909AB341DB349A45DB65
        Function 00C620C0 Relevance: 9.1, APIs: 6, Instructions: 126COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CharNext
        • String ID:
        • API String ID: 3213498283-0
        • Opcode ID: 1673d5f9a1d36f5f66b2448e9e9735f199dd48cda165222d4a63d5a0ee7941a0
        • Instruction ID: 68bf60d9456c4595f70b5f122b553fa9fdd30c87698792798471e6d57906a452
        • Opcode Fuzzy Hash: 1673d5f9a1d36f5f66b2448e9e9735f199dd48cda165222d4a63d5a0ee7941a0
        • Instruction Fuzzy Hash: D6410731608622CBCB349F38C8D073BB3E6EFA6720B544466E651CB258EB35DD82C756
        Function 00CA7910 Relevance: 9.1, APIs: 6, Instructions: 109COMMON
        Download Yara Rule
        APIs
        • VerSetConditionMask.NTDLL(00000000,00000000,00000002,?), ref: 00CA79E6
        • VerSetConditionMask.NTDLL(00000000,?,00000001,?), ref: 00CA79F1
        • VerSetConditionMask.NTDLL(00000000,?,00000020,?), ref: 00CA79FC
        • VerSetConditionMask.NTDLL(00000000,?,00000010,?), ref: 00CA7A07
        • VerSetConditionMask.NTDLL(00000000,?,00000008,00000001), ref: 00CA7A13
        • VerifyVersionInfoA.KERNEL32(?,00000033,00000000), ref: 00CA7A1E
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ConditionMask$InfoVerifyVersion
        • String ID:
        • API String ID: 2793162063-0
        • Opcode ID: b18f59d13e5076e029a2d352b6834213d3ce4ccf46ce9c7778346d4203ac83aa
        • Instruction ID: 8ae2aeba8de3842d5064fc7f3178e710fec629f3263dbf62ae3b1a0c9a61304a
        • Opcode Fuzzy Hash: b18f59d13e5076e029a2d352b6834213d3ce4ccf46ce9c7778346d4203ac83aa
        • Instruction Fuzzy Hash: C831707160C381AFE220CB68DC45F6FBBE8ABD5704F044E0EF1945B282C7B59A049B63
        Function 00C4F570 Relevance: 9.1, APIs: 6, Instructions: 71COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: DeleteObject
        • String ID:
        • API String ID: 1531683806-0
        • Opcode ID: 9b8f79c61b5a00ced13c3bcf74e5d47d935175e425426ad11dcde9eac0a2b83e
        • Instruction ID: f8c286a4cbe48a655b39363d43a5069432fd58e2baf15115119e1dee60415e63
        • Opcode Fuzzy Hash: 9b8f79c61b5a00ced13c3bcf74e5d47d935175e425426ad11dcde9eac0a2b83e
        • Instruction Fuzzy Hash: 503144B5906B458FD7A0DF798888B97B7E4BB44340F258A3ED1BEC6210DB31A541DF20
        Function 00C5AE26 Relevance: 9.1, APIs: 6, Instructions: 62COMMON
        Download Yara Rule
        APIs
        • ClientToScreen.USER32(?,?), ref: 00C5AE56
        • ClientToScreen.USER32(?,?), ref: 00C5AE65
        • GetParent.USER32(?), ref: 00C5AE6B
        • ScreenToClient.USER32(00000000,?), ref: 00C5AE84
        • ScreenToClient.USER32(00000000,?), ref: 00C5AE90
        • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00C5AEB1
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ClientScreen$MoveParentWindow
        • String ID:
        • API String ID: 2420994850-0
        • Opcode ID: 7abb06006e955e1d87df1b95c7d6b186acec4b204de065d436441a77da0da7bc
        • Instruction ID: 3975a5f5bec66187d54a3873f0134b51b9f7c76854fc1b2e3dffed01edc6a506
        • Opcode Fuzzy Hash: 7abb06006e955e1d87df1b95c7d6b186acec4b204de065d436441a77da0da7bc
        • Instruction Fuzzy Hash: 1F11D3B6608302AF9704CF69D894E6BB7EDFB88710F048A1DB95487210D770E9098BA6
        Function 00C77020 Relevance: 9.0, APIs: 6, Instructions: 41synchronizationthreadCOMMON
        Download Yara Rule
        APIs
        • RtlEnterCriticalSection.NTDLL(?), ref: 00C7702B
        • RtlLeaveCriticalSection.NTDLL(?), ref: 00C7703B
        • GetCurrentThreadId.KERNEL32 ref: 00C77049
        • ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 00C77074
        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C77083
        • RtlLeaveCriticalSection.NTDLL ref: 00C770AE
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CriticalSection$Leave$CurrentEnterObjectReleaseSemaphoreSingleThreadWait
        • String ID:
        • API String ID: 1205197067-0
        • Opcode ID: 76ca7000f84c26d2047e75f98a9ad4fca6c0e4034b2b96d4177fb487add9dd30
        • Instruction ID: aab6ac2b1b7a5f50ca1ca4fc60985ea8364580d1c48d6703d7573b43eac4d9eb
        • Opcode Fuzzy Hash: 76ca7000f84c26d2047e75f98a9ad4fca6c0e4034b2b96d4177fb487add9dd30
        • Instruction Fuzzy Hash: 97010C721057009FE3609F34DC48FCBBBE9BF55711F014A1EE2AA97290C7746849CB61
        Function 00C74010 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 244registryCOMMON
        Download Yara Rule
        APIs
        • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020019,?), ref: 00C74191
        • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,00000000,?), ref: 00C74240
          • Part of subcall function 00C6A5F0: RegOpenKeyExW.KERNEL32(?,?,00000000,00020119,?,0000000F,00000000,00CE2949,00000000,05A2C2A1,0000000F,00000000,00000010,00000000), ref: 00C6A650
        Strings
        • SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules, xrefs: 00C74117
        • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00C74068
        • (?i), xrefs: 00C741CF
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Open$EnumValue
        • String ID: (?i)$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
        • API String ID: 3377321004-1116535974
        • Opcode ID: b2c830ac661fac38eaa78e1e36ac1278ba9c82cfcb9b4069ecf2e71a3276b034
        • Instruction ID: 84ad355bead68a4e3c623377d2303ef33eb9bab2326755f7704fbe48e9866be2
        • Opcode Fuzzy Hash: b2c830ac661fac38eaa78e1e36ac1278ba9c82cfcb9b4069ecf2e71a3276b034
        • Instruction Fuzzy Hash: 84918CB15083809FD324DB64C885BAFBBE8AF95304F04892EF19D87292E7749548DB63
        Function 00C95BF0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 243fileCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,00000000,00000000,0000008C,00000068,0000089C,00000000,00C56085), ref: 00C68EFB
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00C68F32
        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,?,00CE2A70), ref: 00C95C79
        • ReadFile.KERNEL32(00000000,?,0000FFFF,?,00000000,?,?,?,?,?,?,00CE2A70), ref: 00C95DD5
        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00CE2A70), ref: 00C95E49
          • Part of subcall function 00C55DF0: GetLastError.KERNEL32(00000068,?,00C56B16,?), ref: 00C55DFA
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharFileMultiWide$CloseCreateErrorHandleLastRead
        • String ID: - $Error opening
        • API String ID: 3529585578-4182346279
        • Opcode ID: 491e89f06ff161248cb44e4b1ea2ea20509a7b96d4fd3d4800f46d21c0c6963a
        • Instruction ID: 5fe1c45c6b66680adad2b37299434f2eeae1bed7fbb00a0b996997f3e23ffa33
        • Opcode Fuzzy Hash: 491e89f06ff161248cb44e4b1ea2ea20509a7b96d4fd3d4800f46d21c0c6963a
        • Instruction Fuzzy Hash: 2791F2B24087809BD721DF25D845B9FB7E8AF95704F04092DF6C987282D779D648CBA3
        Function 00C5ED20 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 145COMMON
        Download Yara Rule
        APIs
        • GetClassInfoExW.USER32(00000000,?,?), ref: 00C5EDFC
        • GetClassInfoExW.USER32(?,?,?), ref: 00C5EE0F
        • LoadCursorW.USER32(?,?), ref: 00C5EE51
          • Part of subcall function 00C58920: RtlEnterCriticalSection.NTDLL ref: 00C58926
          • Part of subcall function 00C58C40: RtlLeaveCriticalSection.NTDLL ref: 00C58C4C
        • GetClassInfoExW.USER32(?,00000000,?), ref: 00C5EE99
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ClassInfo$CriticalSection$CursorEnterLeaveLoad
        • String ID: 0
        • API String ID: 158815643-4108050209
        • Opcode ID: 9f00a8f15ee92c62293aa9dc9c5b2be6f59db01c9dccc5d419140d0a8d2364fa
        • Instruction ID: 2c4bb759b160ca05f6315738b51c02eb7893e6182ea244d004213d8aa71443e8
        • Opcode Fuzzy Hash: 9f00a8f15ee92c62293aa9dc9c5b2be6f59db01c9dccc5d419140d0a8d2364fa
        • Instruction Fuzzy Hash: 2A5188796043459BDB28CF14C840BAAB7E8FF88715F00451DFD5993380EB75EA88CB96
        Function 00C6ECA0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 131processsynchronizationCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,00000000,00000000,0000008C,00000068,0000089C,00000000,00C56085), ref: 00C68EFB
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00C68F32
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,?,?), ref: 00C68F47
        • SetErrorMode.KERNEL32(00000001,?,00000000,00000044,05A2C2A1), ref: 00C6ED26
        • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00C6ED49
        • WaitForSingleObject.KERNEL32(?,000001F4), ref: 00C6ED62
        • GetExitCodeProcess.KERNEL32(?,?), ref: 00C6ED72
          • Part of subcall function 00C6E6B0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00C6E742
          • Part of subcall function 00C3AD10: std::_String_base::_Xlen.LIBCPMT ref: 00C3AD4A
          • Part of subcall function 00C3AD10: std::_String_base::_Xlen.LIBCPMT ref: 00C3AD61
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiWide$ProcessString_base::_Xlenstd::_$CodeCreateErrorExitIos_base_dtorModeObjectSingleWaitstd::ios_base::_
        • String ID: Process error:
        • API String ID: 2137553366-788130964
        • Opcode ID: 6d7076f36dcb3ed017f44cca2ff5848c2149e114fbd16635605de97103fca603
        • Instruction ID: db6ab81cc69ca14ac4b72115648bf82cd88567f0c309275064746fcee62702b8
        • Opcode Fuzzy Hash: 6d7076f36dcb3ed017f44cca2ff5848c2149e114fbd16635605de97103fca603
        • Instruction Fuzzy Hash: DE41A4B15183819BD334EB64CCC5F9FB7ECAF94700F044A1EF59992281DB759A0897A3
        Function 00C3C140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99COMMON
        Download Yara Rule
        APIs
        • std::_Lockit::_Lockit.LIBCPMT ref: 00C3C16C
        • std::_Lockit::_Lockit.LIBCPMT ref: 00C3C192
        • std::_Lockit::_Lockit.LIBCPMT ref: 00C3C23E
        • std::locale::facet::facet_Register.LIBCPMT ref: 00C3C259
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: LockitLockit::_std::_$Registerstd::locale::facet::facet_
        • String ID: bad cast
        • API String ID: 3345047611-3145022300
        • Opcode ID: bd0ae68eacebf89f81e59962828a4451a2585a0175203b20d9fc2555d53d8e68
        • Instruction ID: 908e9dc5c8c0ffaa47b47956a98a26b52f3ea8ac4b42dfa4ad859f91e86dd18f
        • Opcode Fuzzy Hash: bd0ae68eacebf89f81e59962828a4451a2585a0175203b20d9fc2555d53d8e68
        • Instruction Fuzzy Hash: 9331BB715187008BC724DF14C881B6EB7A0FB54720F000A1EF966E73A2DB34E944EBA2
        Function 00C3B600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99COMMON
        Download Yara Rule
        APIs
        • std::_Lockit::_Lockit.LIBCPMT ref: 00C3B62C
        • std::_Lockit::_Lockit.LIBCPMT ref: 00C3B652
        • std::_Lockit::_Lockit.LIBCPMT ref: 00C3B6FE
        • std::locale::facet::facet_Register.LIBCPMT ref: 00C3B719
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: LockitLockit::_std::_$Registerstd::locale::facet::facet_
        • String ID: bad cast
        • API String ID: 3345047611-3145022300
        • Opcode ID: 8ce4772872f46341c818129915aa68aa257fe8d02486a04db183dd3a3c7995c3
        • Instruction ID: 05328628f392eafe1110beade5b20d2cf835e5de0414ce59bb9de89a086c929f
        • Opcode Fuzzy Hash: 8ce4772872f46341c818129915aa68aa257fe8d02486a04db183dd3a3c7995c3
        • Instruction Fuzzy Hash: EC31E4719187408FD718DF14D852B6A77B0FB54320F00061EF666973A2DB30ED45CB92
        Function 00C3BFF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99COMMON
        Download Yara Rule
        APIs
        • std::_Lockit::_Lockit.LIBCPMT ref: 00C3C01C
        • std::_Lockit::_Lockit.LIBCPMT ref: 00C3C042
        • std::_Lockit::_Lockit.LIBCPMT ref: 00C3C0EE
        • std::locale::facet::facet_Register.LIBCPMT ref: 00C3C109
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: LockitLockit::_std::_$Registerstd::locale::facet::facet_
        • String ID: bad cast
        • API String ID: 3345047611-3145022300
        • Opcode ID: 8e635ef7ea459ca665773ed4d8903884443e25b67c09d5ed64d9ca78991f2350
        • Instruction ID: 0395438f471f4ff33cada86a418c8304e42ea7e61cecd984f7c1c0615d4bb89b
        • Opcode Fuzzy Hash: 8e635ef7ea459ca665773ed4d8903884443e25b67c09d5ed64d9ca78991f2350
        • Instruction Fuzzy Hash: 7131BD75914780CFC718EF14C891B6EB3A0FB54724F440A2EFA66A73A1DB34E944CB92
        Function 00C88A90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82COMMON
        Download Yara Rule
        APIs
        • GetWindowRect.USER32(?), ref: 00C88ACB
          • Part of subcall function 00C87E20: LoadLibraryW.KERNEL32(?), ref: 00C87F85
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: LibraryLoadRectWindow
        • String ID: 1.50$Fail init Fusion dll$b6NjbxrNFzBuonxVAJ9NYjamf1YPkktbBfEkYyDO$mg14
        • API String ID: 2609908848-1128788587
        • Opcode ID: e9cfbade95d9f18830a36117be56a945bc3b2b30f547a172817a9137e9ddad64
        • Instruction ID: 36d07816f20aa8fd3d2faecc4e22bdea922500b65312a01cd1e44146ecc3baea
        • Opcode Fuzzy Hash: e9cfbade95d9f18830a36117be56a945bc3b2b30f547a172817a9137e9ddad64
        • Instruction Fuzzy Hash: 0331D1B1204340AFD314EF24CD85B66BBE4FB84718F84092DF4059B6D2DB74E909CBA6
        Function 00C74BE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60synchronizationCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,00000000,00000000,0000008C,00000068,0000089C,00000000,00C56085), ref: 00C68EFB
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00C68F32
        • CreateEventW.KERNEL32(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?,-install-event), ref: 00C74C63
        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,-install-event), ref: 00C74C6B
        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,-install-event), ref: 00C74C7B
        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,-install-event), ref: 00C74C84
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiWide$CloseCreateErrorEventHandleLastObjectSingleWait
        • String ID: -install-event
        • API String ID: 2894420377-3182879268
        • Opcode ID: 79eb65d606f8640466dcf409184f921c18772821a92238677336e39070375eef
        • Instruction ID: 1588e4dfe15f317070f5a0014c62887809e964cc3f8a96fe5b20745540672ef3
        • Opcode Fuzzy Hash: 79eb65d606f8640466dcf409184f921c18772821a92238677336e39070375eef
        • Instruction Fuzzy Hash: 6811E2B1508340ABD705DF24DC86F4FBBECEB48710F104A19F55AD62D0DB79D9449B62
        Function 00C87C70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48registryCOMMON
        Download Yara Rule
        APIs
        • GetModuleHandleW.KERNEL32(00000000), ref: 00C87C79
        • CreateSolidBrush.GDI32 ref: 00C87CC4
        • RegisterClassW.USER32(?), ref: 00C87CD3
        • CreateWindowExW.USER32(00000000,?,00000000,82000000,80000000,80000000,000002A8,00000136,00000000,00000000,00000000,00000000), ref: 00C87D0D
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Create$BrushClassHandleModuleRegisterSolidWindow
        • String ID: FusionWindow
        • API String ID: 3438359160-696843085
        • Opcode ID: b9995387666aea4a6e78ebf6f2d12f424cd15cdd52aa3b48f7961affd3d0843d
        • Instruction ID: 289e8a990fb1d8dffd652d1adac61066bbe9d147183167ff82972a2093ec0d0f
        • Opcode Fuzzy Hash: b9995387666aea4a6e78ebf6f2d12f424cd15cdd52aa3b48f7961affd3d0843d
        • Instruction Fuzzy Hash: B511FAB0949340AFD350DF25DD49B4FBEE4EB88755F104A2EF598E6280E7709504CF96
        Function 00C87D20 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44registryCOMMON
        Download Yara Rule
        APIs
        • GetModuleHandleW.KERNEL32(00000000), ref: 00C87D28
        • CreateSolidBrush.GDI32 ref: 00C87D71
        • RegisterClassW.USER32(?), ref: 00C87D80
        • CreateWindowExW.USER32(00000000,?,00CE5924,52000084,00000050,00000000,00000208,00000104,?,00000000,00000000,00000000), ref: 00C87DAF
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Create$BrushClassHandleModuleRegisterSolidWindow
        • String ID: FusionSubWindow
        • API String ID: 3438359160-1628799853
        • Opcode ID: e50b6d360b7031464d0e64ea921f0faada98eed217e4e4071f42e54be3949959
        • Instruction ID: d350e5b51bef974951c6c4dcb19dd53c947962225842af76f6a87c0fb718b4b9
        • Opcode Fuzzy Hash: e50b6d360b7031464d0e64ea921f0faada98eed217e4e4071f42e54be3949959
        • Instruction Fuzzy Hash: D911FAB094D340AFD3188F15E94AB0BBAE4FB8C754F104A1EF189AA390D7B095448F5A
        Function 00C4D4F0 Relevance: 8.0, APIs: 1, Strings: 4, Instructions: 484COMMON
        Download Yara Rule
        APIs
        • CoInitialize.OLE32(00000000), ref: 00C4D551
          • Part of subcall function 00C6A390: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000010,00000001,0000000F,00000000), ref: 00C6A41C
        Strings
        • Unable to create shortcut on desktop - , xrefs: 00C4D671
        • Unable to create shortcut in all programms - , xrefs: 00C4D7DB
        • Unable to create shortcut in programm group - , xrefs: 00C4D945
        • Unable to create uninstaller shortcut in programm group - , xrefs: 00C4DB4B
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: FolderInitializePathSpecial
        • String ID: Unable to create shortcut in all programms - $Unable to create shortcut in programm group - $Unable to create shortcut on desktop - $Unable to create uninstaller shortcut in programm group -
        • API String ID: 2677077979-120842546
        • Opcode ID: 6ded47041243cdc860e4a11ca2766a953806f617fb098fb27beae0eb6c969259
        • Instruction ID: 96a331f2fea45f8257ea337b91d5b215e5f254857a20f2f980d98c7eef945569
        • Opcode Fuzzy Hash: 6ded47041243cdc860e4a11ca2766a953806f617fb098fb27beae0eb6c969259
        • Instruction Fuzzy Hash: 02127FB58193C0ABD321EB648981A5FBBE8AFD8704F444C1EF1C993212EB35D548DB63
        Function 00C68610 Relevance: 7.7, APIs: 5, Instructions: 213fileCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C6AEB0: GetTempPathW.KERNEL32(00000104,?,05A2C2A1,00000000,00000000), ref: 00C6AF38
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,00000000,00000000,0000008C,00000068,0000089C,00000000,00C56085), ref: 00C68EFB
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00C68F32
        • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00C687FF
        • GetLastError.KERNEL32 ref: 00C68810
        • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00C688A8
        • SetEndOfFile.KERNEL32(00000000), ref: 00C688AF
        • CloseHandle.KERNEL32(00000000), ref: 00C688B6
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: File$ByteCharMultiWide$CloseCreateErrorHandleLastPathTempWrite
        • String ID:
        • API String ID: 1912570573-0
        • Opcode ID: 12d789cf93c260171b46e0cbec2acc98fa63f4f92f03efa89b5656b1cc832746
        • Instruction ID: 9841027901b29d81b763f6206fdec1c8791f94f291e9c85c97b83a693b453bf7
        • Opcode Fuzzy Hash: 12d789cf93c260171b46e0cbec2acc98fa63f4f92f03efa89b5656b1cc832746
        • Instruction Fuzzy Hash: AF8183B55083809FD730EB64D8C9B9FB7E9AF98304F540A1DF19947281DB359A08DB63
        Function 00C4DDF0 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 210sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNEL32(00000064), ref: 00C4DEAE
          • Part of subcall function 00C6A260: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000001,?,00000000), ref: 00C6A2EC
        Strings
        • Unable to make mgUserProgrammsShortcutDir path - , xrefs: 00C4E052
        • Unable to make mgInstallDir path - , xrefs: 00C4DED6
        • showPage, xrefs: 00C4DE22
        • Unable to make mgSettingsDir path - , xrefs: 00C4DF87
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: FolderPathSleepSpecial
        • String ID: Unable to make mgInstallDir path - $Unable to make mgSettingsDir path - $Unable to make mgUserProgrammsShortcutDir path - $showPage
        • API String ID: 3834719940-3921465697
        • Opcode ID: f7cbe3f969a4fcc0f8304956f9a871d6da2ab968253b8667d15a46aedf734a1a
        • Instruction ID: 66297c2c54270736f5010146774413e6b62c38e55a53c5448189b0fd2613a74d
        • Opcode Fuzzy Hash: f7cbe3f969a4fcc0f8304956f9a871d6da2ab968253b8667d15a46aedf734a1a
        • Instruction Fuzzy Hash: C171D6B15083809BD330FB60D886B5F77E8AF84704F00492DF18A57293EB759948ABB7
        Function 00CC55C0 Relevance: 7.7, APIs: 5, Instructions: 188sleepnetworkCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ErrorLastSleep
        • String ID:
        • API String ID: 1458359878-0
        • Opcode ID: 20132ea4128d777843e7efac3a8fda74d878199b33be1709ef6b26c0463f38cc
        • Instruction ID: 56bf1b5eb6d9fcaadec5a6c2d37929c9fa42866e7a779f84a56df52b0a744b81
        • Opcode Fuzzy Hash: 20132ea4128d777843e7efac3a8fda74d878199b33be1709ef6b26c0463f38cc
        • Instruction Fuzzy Hash: 2E51B971614B058BC735DF28D884BABF3E5BF84320F904D2DE5A5C2280E775EAC58B92
        Function 00C49610 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 169sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNEL32(000003E8,05A2C2A1), ref: 00C4965C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Sleep
        • String ID: back$close$currentState$skip
        • API String ID: 3472027048-4238961454
        • Opcode ID: fba932dde82dfc56f28e43d8049a23ea9c0bfcc5abee169a707eafdcf67b2772
        • Instruction ID: dc685c8212a0de4c58404cdfc2d37569b4c980e4da1f1a65658d8901e0fd37e5
        • Opcode Fuzzy Hash: fba932dde82dfc56f28e43d8049a23ea9c0bfcc5abee169a707eafdcf67b2772
        • Instruction Fuzzy Hash: 745179B1918380ABD714DF699881B5BFBE8BFD5700F40492EF19687291EB74D908CB63
        Function 00C68C40 Relevance: 7.6, APIs: 5, Instructions: 105processCOMMON
        Download Yara Rule
        APIs
        • CreateToolhelp32Snapshot.KERNEL32 ref: 00C68C62
        • Process32FirstW.KERNEL32(00000000,00000010), ref: 00C68C77
        • Process32NextW.KERNEL32(00000000,?), ref: 00C68CF8
        • Process32NextW.KERNEL32(00000000,?), ref: 00C68D53
        • CloseHandle.KERNEL32(00000000,00000010,?), ref: 00C68D5D
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
        • String ID:
        • API String ID: 2284531361-0
        • Opcode ID: 3dda727e5c75c455df5c946e7fc9ee76bd5da79341c7c59b25c1856c1e813cb7
        • Instruction ID: 495056bc3cf0b1be377f8b461e2383c18a22f88bfbcc2cdca16f57ab51c54d89
        • Opcode Fuzzy Hash: 3dda727e5c75c455df5c946e7fc9ee76bd5da79341c7c59b25c1856c1e813cb7
        • Instruction Fuzzy Hash: F031D86520428126D731AF3488D1BBB77EA9FE5710F444719E9A5C72C1EF36CA0DC262
        Function 00C69440 Relevance: 7.6, APIs: 5, Instructions: 95registryCOMMON
        Download Yara Rule
        APIs
        • RegOpenKeyExW.ADVAPI32(?,?,00000000,000F003F,05A2C2A1,05A2C2A1), ref: 00C6947D
        • RegEnumKeyW.ADVAPI32 ref: 00C694BE
        • RegCloseKey.ADVAPI32(?), ref: 00C694EE
          • Part of subcall function 00C69440: RegEnumKeyW.ADVAPI32(?,00000000,00000000,000003E8), ref: 00C694E3
        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00C69503
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Enum$CloseDeleteOpen
        • String ID:
        • API String ID: 2095303065-0
        • Opcode ID: 22f87185d9426713531c6865a3a1049992d361301fa06bb5f7d0490f5f319ef6
        • Instruction ID: 41e2c69333bd27a02364bf2f57beecd4dcffcf9040bec026b88390049ded1548
        • Opcode Fuzzy Hash: 22f87185d9426713531c6865a3a1049992d361301fa06bb5f7d0490f5f319ef6
        • Instruction Fuzzy Hash: 3121F872644344ABD220EF14EC81F6B77DCEB84B54F00062AF949A73C0DA39EA05C7B2
        Function 00C5C2D0 Relevance: 7.6, APIs: 5, Instructions: 94windowCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Focus$ChildWindow
        • String ID:
        • API String ID: 501040988-0
        • Opcode ID: cd075d7a7898d8d7a74e8513af501424d7264ac8f21e94fd082a4bdbb26787c8
        • Instruction ID: 0399c25b78199068cb221466add0869c04d840eee62273381b09a3978b3f95a1
        • Opcode Fuzzy Hash: cd075d7a7898d8d7a74e8513af501424d7264ac8f21e94fd082a4bdbb26787c8
        • Instruction Fuzzy Hash: 5D31F9B92047059FD324CF64C8C4B5AB7E8FB49715F108A0DF9AA8B3A0D774A944CB55
        Function 00C51CE0 Relevance: 7.6, APIs: 5, Instructions: 60windowsleepthreadCOMMON
        Download Yara Rule
        APIs
        • GetCurrentThreadId.KERNEL32 ref: 00C51CF1
        • SendMessageW.USER32(00000000), ref: 00C51D10
        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C51D28
        • Sleep.KERNEL32(00000064), ref: 00C51D3F
        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C51D4E
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Message$Peek$CurrentSendSleepThread
        • String ID:
        • API String ID: 3626649275-0
        • Opcode ID: 1b63719d1851ef6d0a80e4e9423fbd772a29651c7356bb442b0031c2a4691676
        • Instruction ID: bb8209343de8f6cdc764ab2f82479995ca81791009857d4135c10196dca8269e
        • Opcode Fuzzy Hash: 1b63719d1851ef6d0a80e4e9423fbd772a29651c7356bb442b0031c2a4691676
        • Instruction Fuzzy Hash: 0801D2762403146BD220DB559CC5F9BB7ACEB88761F000519FF149B180D7B2AA8ACBB6
        Function 00C5DAF0 Relevance: 7.6, APIs: 5, Instructions: 58threadCOMMON
        Download Yara Rule
        APIs
        • RtlEnterCriticalSection.NTDLL(?), ref: 00C5DB08
        • GetCurrentThreadId.KERNEL32 ref: 00C5DB15
        • RtlLeaveCriticalSection.NTDLL(?), ref: 00C5DB2F
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CriticalSection$CurrentEnterLeaveThread
        • String ID:
        • API String ID: 2351996187-0
        • Opcode ID: 213e15e2178d3a38eb792dc9e71334fbf7bc130b96efd156af93a6d729476e85
        • Instruction ID: a6d52127f121bd4555db8c7476a22624b83855145897717fb5cad4d5d59b238c
        • Opcode Fuzzy Hash: 213e15e2178d3a38eb792dc9e71334fbf7bc130b96efd156af93a6d729476e85
        • Instruction Fuzzy Hash: 04018B722053149F8720DF19E880B5AF3A9FB98725302863EE95B87615C731BD85CBA4
        Function 00C5DA80 Relevance: 7.5, APIs: 5, Instructions: 47threadCOMMON
        Download Yara Rule
        APIs
        • RaiseException.KERNEL32(C0000005,00000001,?,?), ref: 00C5DA92
        • GetCurrentThreadId.KERNEL32 ref: 00C5DAAC
        • RtlEnterCriticalSection.NTDLL(?), ref: 00C5DAB9
        • RtlLeaveCriticalSection.NTDLL(?), ref: 00C5DAC9
        • RaiseException.KERNEL32(C0000005,00000001,00000000,00000000), ref: 00C5DAE0
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CriticalExceptionRaiseSection$CurrentEnterLeaveThread
        • String ID:
        • API String ID: 2580436124-0
        • Opcode ID: 30a61e96637c730e2fc2aae7ffab44f115e06ac5957d44b1596faa018260023e
        • Instruction ID: 3c954134506862910968265304a31577a3d51a0e9fc56d8c4f1b5354e035be40
        • Opcode Fuzzy Hash: 30a61e96637c730e2fc2aae7ffab44f115e06ac5957d44b1596faa018260023e
        • Instruction Fuzzy Hash: 8AF03771601345ABD720AF659CC8B0FBBADEF54B12F02841EBA55EB160C7B099448B61
        Function 00C51BD0 Relevance: 7.5, APIs: 5, Instructions: 44windowsleepthreadCOMMON
        Download Yara Rule
        APIs
        • GetCurrentThreadId.KERNEL32 ref: 00C51BDE
        • SendMessageW.USER32(00000000), ref: 00C51BFD
        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C51C16
        • Sleep.KERNEL32(00000064), ref: 00C51C25
        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C51C34
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Message$Peek$CurrentSendSleepThread
        • String ID:
        • API String ID: 3626649275-0
        • Opcode ID: d6017c5421bdf0d58d5424bb2249fcd00f97d9b4facb97283257c36885418f4e
        • Instruction ID: 98d96e334c7db338565d9542fe9ab7eef0179d9b5ef8f54d2031c68270403097
        • Opcode Fuzzy Hash: d6017c5421bdf0d58d5424bb2249fcd00f97d9b4facb97283257c36885418f4e
        • Instruction Fuzzy Hash: BB01D135280340BBE2109B548C85F9ABBACAF88B10F044409FB44EB1D0D6F4E9408BA6
        Function 00C4FC20 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
        Download Yara Rule
        APIs
        • SelectObject.GDI32(?,?), ref: 00C4FC37
        • DeleteObject.GDI32(00000000), ref: 00C4FC47
        • DeleteDC.GDI32(00000000), ref: 00C4FC66
        • IsWindow.USER32(?), ref: 00C4FC82
        • InvalidateRect.USER32(?,00000000,00000001), ref: 00C4FC94
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: DeleteObject$InvalidateRectSelectWindow
        • String ID:
        • API String ID: 2868033160-0
        • Opcode ID: 26db7b0a24254fb5c0371f48fbe7e0e8704ae96a22df161162f7d3eb9e18d564
        • Instruction ID: cb0d4b8dd66fe3b4a3eada7a379de11a40e9ccdce988e488a0893fb7927fa60c
        • Opcode Fuzzy Hash: 26db7b0a24254fb5c0371f48fbe7e0e8704ae96a22df161162f7d3eb9e18d564
        • Instruction Fuzzy Hash: 5F0108702007599BE7388B25CAC8B6B77ECBF00751F44492CE9A7CA9D0CBB4E942CB10
        Function 00C4F520 Relevance: 7.5, APIs: 5, Instructions: 27COMMON
        Download Yara Rule
        APIs
        • GetSysColor.USER32(0000000F), ref: 00C4F52C
        • GetSysColor.USER32(00000012), ref: 00C4F533
        • GetSysColor.USER32(0000000F), ref: 00C4F53A
        • GetSysColor.USER32(00000012), ref: 00C4F541
        • InvalidateRect.USER32(?,00000000,00000001), ref: 00C4F555
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Color$InvalidateRect
        • String ID:
        • API String ID: 1573920590-0
        • Opcode ID: 2c4134145299252f0195f4d804fe9139ef698920ae75d2634357938ecd94875f
        • Instruction ID: 820c8e3ddffaf3107bd8f6659ed91a5134754133c7b4af78eb33491dc6585f53
        • Opcode Fuzzy Hash: 2c4134145299252f0195f4d804fe9139ef698920ae75d2634357938ecd94875f
        • Instruction Fuzzy Hash: 72E0C071940754AAD730AB769C49B477BA4AB80710F014829F2558B581D6B5D4419F50
        Function 00C37450 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 173COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C69670: GetFileAttributesW.KERNEL32(00000000,?,00000000,00000000,000000FF,?,?,?,00CE2949,00000000,05A2C2A1,0000000F,00000000,00000010,00000000), ref: 00C6969C
        • AllowSetForegroundWindow.USER32(000000FF), ref: 00C37559
          • Part of subcall function 00C3B030: std::_String_base::_Xlen.LIBCPMT ref: 00C3B08C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: AllowAttributesFileForegroundString_base::_WindowXlenstd::_
        • String ID: --installer$--test$Error launching soft -
        • API String ID: 1630284597-260646120
        • Opcode ID: a63f6f060fd218a9be87559a72c10b03418c112b93963cca17cebc7a9dddb0a3
        • Instruction ID: 57507e82576ac2c1f4fe35abf0cb066c25f2ac5a8d1e03a4ad715a8e3bf31927
        • Opcode Fuzzy Hash: a63f6f060fd218a9be87559a72c10b03418c112b93963cca17cebc7a9dddb0a3
        • Instruction Fuzzy Hash: AF5190F2818380ABD720EB64D852B6BB7E9BF84704F104E2DF19987252EB35D504DB63
        Function 00C8A160 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 61threadCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C68C40: CreateToolhelp32Snapshot.KERNEL32 ref: 00C68C62
          • Part of subcall function 00C68C40: Process32FirstW.KERNEL32(00000000,00000010), ref: 00C68C77
        • CreateThread.KERNEL32(00000000,00000000,Function_00059EA0,?,00000000,?), ref: 00C8A20E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Create$FirstProcess32SnapshotThreadToolhelp32
        • String ID: Fail create server pipe: $Fusion is already runing$fusion-bundle.exe
        • API String ID: 950523040-1335275362
        • Opcode ID: ccb39c550eda9ca254f84412e2231434fc32b00da45a3e56bf1b2abd9c96532f
        • Instruction ID: c26695b9aaa927622e6d025186d52d00ede49f1bea18910f12a26809e6ba0f04
        • Opcode Fuzzy Hash: ccb39c550eda9ca254f84412e2231434fc32b00da45a3e56bf1b2abd9c96532f
        • Instruction Fuzzy Hash: E111DF71544740AFE320EB20CC46B9777E4FB08724F100B2EF5AA922C0EB75A5488B57
        Function 00C54C30 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57pipeCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C54AF0: WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,WIN7_ADD_FW_RULE,00000010), ref: 00C54B5F
          • Part of subcall function 00C54AF0: WriteFile.KERNEL32 ref: 00C54B7B
        • DisconnectNamedPipe.KERNEL32(?,05A2C2A1), ref: 00C54CA6
        • CloseHandle.KERNEL32(?), ref: 00C54CB8
        • CloseHandle.KERNEL32(?), ref: 00C54CC4
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CloseFileHandleWrite$DisconnectNamedPipe
        • String ID: TERMINATE
        • API String ID: 3910351949-676853503
        • Opcode ID: 13ed718fcaa18e3cbf25733dd8575274876b1adca0e1348f6f2f47ab6100d06f
        • Instruction ID: 6267ddba0bc05566c92292ff93f0176d7635e5abcbdffbd433095bb742c29ad4
        • Opcode Fuzzy Hash: 13ed718fcaa18e3cbf25733dd8575274876b1adca0e1348f6f2f47ab6100d06f
        • Instruction Fuzzy Hash: 681163B55087819FC318DF29D881B0BFBE8FB88714F404A2EF5A693791D774E5488B51
        Function 00CB12D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55networkCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00CB1220: recv.WS2_32(?,?,?,00000000), ref: 00CB12AF
        • send.WS2_32(?,?,?,00000000), ref: 00CB131C
        • WSAGetLastError.WS2_32(?,?), ref: 00CB132F
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ErrorLastrecvsend
        • String ID: EncryptMessage$Send failure: %s
        • API String ID: 3418755260-327157101
        • Opcode ID: c8e3572294115120487abe4906599f8007115d6c846ce804e720758252e22af2
        • Instruction ID: b0b28e5dcf9b7dd937d2aad01850ee18b11c209bb603f5f485948a91fd5e3109
        • Opcode Fuzzy Hash: c8e3572294115120487abe4906599f8007115d6c846ce804e720758252e22af2
        • Instruction Fuzzy Hash: 1A1170712042409FC730EF68DC85FEBB3E8EB9D310F54091DEA99C7291E6B4A9448B92
        Function 00C587F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON
        Download Yara Rule
        APIs
        • MonitorFromPoint.USER32(?,?,00000000), ref: 00C58808
        • MonitorFromPoint.USER32(?,?,00000002), ref: 00C58812
        • GetMonitorInfoW.USER32 ref: 00C5884C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Monitor$FromPoint$Info
        • String ID: (
        • API String ID: 1942056148-3887548279
        • Opcode ID: be018f7c42ebd39d243cb066ede1a451db207d87879290300416f9147f17ccc3
        • Instruction ID: cbd2e17a47ceef37d4b10dd5906a3ba942f392a6f7dd34e2f5a49c6abcd61949
        • Opcode Fuzzy Hash: be018f7c42ebd39d243cb066ede1a451db207d87879290300416f9147f17ccc3
        • Instruction Fuzzy Hash: 30011B719093419FC314DF1AA881A4FBBE8EB98741F80052DF998E2250D730DA488BAA
        Function 00C4FAB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37stringCOMMON
        Download Yara Rule
        APIs
        • InvalidateRect.USER32(?,00000000,00000001), ref: 00C4FAD7
        • lstrlenW.KERNEL32(?), ref: 00C4FAE7
        • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000003), ref: 00C4FAFF
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ExecuteInvalidateRectShelllstrlen
        • String ID: open
        • API String ID: 2238680937-2758837156
        • Opcode ID: 869b9b9e00d5951fe3762e1f34444e81514ac18a02d5d9a04fa7194316ab2001
        • Instruction ID: a71d0b337d0fe54a95a84326a86eb04c4ee7faf962bdc2e1f438205850d5e433
        • Opcode Fuzzy Hash: 869b9b9e00d5951fe3762e1f34444e81514ac18a02d5d9a04fa7194316ab2001
        • Instruction Fuzzy Hash: 7DF0E2353453807EE2958B349CC9FC62B6A9B17719F525018B208DF0D2D186990FD7A0
        Function 00C5A9F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31stringCOMMON
        Download Yara Rule
        APIs
        • GetParent.USER32(05A2C2A1), ref: 00C5AA01
        • GetClassNameW.USER32(00000000,00000008,00000008), ref: 00C5AA0F
        • lstrcmpW.KERNEL32(?,#32770), ref: 00C5AA32
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ClassNameParentlstrcmp
        • String ID: #32770
        • API String ID: 3513268407-463685578
        • Opcode ID: 1e1ef4cd457d361bf37bc54cbeadd106263410fb6c13f356e0f4b3e9edf42787
        • Instruction ID: 908b88a25cffc65eb904a935e1cd12e7a4b0e8b82404d3aa857e64a6f6ea82a7
        • Opcode Fuzzy Hash: 1e1ef4cd457d361bf37bc54cbeadd106263410fb6c13f356e0f4b3e9edf42787
        • Instruction Fuzzy Hash: A7F05EB56107409BCA04EF74CC4AB1F33A8BB88701F804E1CB55BCB290EB38D6089B52
        Function 00CB9C20 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31libraryloaderCOMMON
        Download Yara Rule
        APIs
        • GetProcAddress.KERNEL32(00000000,InitSecurityInterfaceA), ref: 00CB9C66
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: AddressProc
        • String ID: InitSecurityInterfaceA$secur32.dll$security.dll
        • API String ID: 190572456-3788156360
        • Opcode ID: 1611d35f1e96042518a13645b7cac6a9f1d32e6a6c06eefd8649ee82ff80b7fe
        • Instruction ID: 7cd2b925813893ba4483b15cc7221d689f5ff668fef2c6a22ea10e8c39048ca0
        • Opcode Fuzzy Hash: 1611d35f1e96042518a13645b7cac6a9f1d32e6a6c06eefd8649ee82ff80b7fe
        • Instruction Fuzzy Hash: EEF06DA0F8434269FB60573B5C0BB9628C8E740B89F404431FB29D92C2FBB0DA009622
        Function 00C80C10 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 259sleepCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C69C90: GetFileAttributesW.KERNEL32(?,00000010,00000000), ref: 00C69D7F
          • Part of subcall function 00C69C90: DeleteFileW.KERNEL32(?), ref: 00C69D8B
        • Sleep.KERNEL32(00000064), ref: 00C80D8C
        • Sleep.KERNEL32(000003E8), ref: 00C80F29
        Strings
        • Unable to download bundle :, xrefs: 00C80E50
        • Bundle is already installing now: , xrefs: 00C80CAC
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: FileSleep$AttributesDelete
        • String ID: Bundle is already installing now: $Unable to download bundle :
        • API String ID: 235145485-532362104
        • Opcode ID: 9ff7af893b897a25b0c3807ab088999dad0766475b029744ac2c5f727289dff4
        • Instruction ID: 7caa5c8390887cb0bb1cefcdab3ce4d01aac08d9175eafed5ace0782b8f988a1
        • Opcode Fuzzy Hash: 9ff7af893b897a25b0c3807ab088999dad0766475b029744ac2c5f727289dff4
        • Instruction Fuzzy Hash: A6A1E2B15083809BD760FB64C846B5FBBE9AF94304F144D2EF28987342EB759509DBA3
        Function 00C589C0 Relevance: 6.2, APIs: 4, Instructions: 158COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: String$Free
        • String ID:
        • API String ID: 1391021980-0
        • Opcode ID: 89738cc9a8b0435457bee61c9f1a42d2fb2511da42574be275e9a1812f479189
        • Instruction ID: ea5185b554d49ab885f96f1b6d5c88b85552a5c0ffad83913f3bfe7cc8df8284
        • Opcode Fuzzy Hash: 89738cc9a8b0435457bee61c9f1a42d2fb2511da42574be275e9a1812f479189
        • Instruction Fuzzy Hash: 8D5140B52042429BD314DF14CC85F6BB7ECEB88714F444A1DFA45E7290DB34E94A8BAA
        Function 00C5F220 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
        Download Yara Rule
        APIs
        • GetClientRect.USER32(?,?), ref: 00C5F303
        • GetClientRect.USER32(?,?), ref: 00C5F30E
        • CreateAcceleratorTableW.USER32(?,00000001), ref: 00C5F333
        • GetParent.USER32(?), ref: 00C5F359
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ClientRect$AcceleratorCreateParentTable
        • String ID:
        • API String ID: 2716292469-0
        • Opcode ID: 135ab0d141fc2a4673bcaf88b1d83a0bdd0ecbe8bfedb3794bdacb250d20bca4
        • Instruction ID: bc186982f6fd81efde303b1550f4870c1d99ab42553cf68adda4e81be846d45f
        • Opcode Fuzzy Hash: 135ab0d141fc2a4673bcaf88b1d83a0bdd0ecbe8bfedb3794bdacb250d20bca4
        • Instruction Fuzzy Hash: 3D418D792043059FE318DF65C880B6BB7E8BF88305F04892DF84997260D774EA89CB65
        Function 00C503A0 Relevance: 6.1, APIs: 4, Instructions: 114COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C4F570: DeleteObject.GDI32(?), ref: 00C4F592
          • Part of subcall function 00C4F570: DeleteObject.GDI32(?), ref: 00C4F59F
          • Part of subcall function 00C4F570: DeleteObject.GDI32(?), ref: 00C4F5B0
          • Part of subcall function 00C4F570: DeleteObject.GDI32(?), ref: 00C4F5CB
          • Part of subcall function 00C4F570: DeleteObject.GDI32(?), ref: 00C4F5E6
          • Part of subcall function 00C4F570: DeleteObject.GDI32(?), ref: 00C4F601
        • DeleteObject.GDI32(?), ref: 00C503D1
          • Part of subcall function 00C514C0: DeleteObject.GDI32(?), ref: 00C514D3
        • GetObjectW.GDI32(?,00000018,?), ref: 00C503EB
        • DeleteObject.GDI32(?), ref: 00C5043D
        • GetObjectW.GDI32(?,00000018,?), ref: 00C50487
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Object$Delete
        • String ID:
        • API String ID: 774837909-0
        • Opcode ID: 19540ca3b7c81968b7deef27e7411a2af9816e999705e327ceece7163fbe4264
        • Instruction ID: c701794a46f7d583a6519962c0b5110b7e7803109d372bc3cefd310048547d6b
        • Opcode Fuzzy Hash: 19540ca3b7c81968b7deef27e7411a2af9816e999705e327ceece7163fbe4264
        • Instruction Fuzzy Hash: B931D2767007009BD220EF29DC89FABB3D8EB80710F10082DFA59C7291EB71AD898765
        Function 00C69190 Relevance: 6.1, APIs: 4, Instructions: 101registryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,00000000,00000000,0000008C,00000068,0000089C,00000000,00C56085), ref: 00C68EFB
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00C68F32
        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,0000000F,00000000,00000014,05A2C2A1,00000010,0000000F,00000000), ref: 00C691C6
        • RegQueryValueExW.ADVAPI32 ref: 00C69225
        • RegCloseKey.ADVAPI32(?), ref: 00C69234
        • RegCloseKey.ADVAPI32(?), ref: 00C69265
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharCloseMultiWide$OpenQueryValue
        • String ID:
        • API String ID: 3924453400-0
        • Opcode ID: 090f1406f71ebcfad9a455169695ef7afcdcad1a044e92bd9041f5c84de64999
        • Instruction ID: 01f809f52cb4b6bc4c505040e240a73ec21c2d683f08f2c08b9a030f4e14ba10
        • Opcode Fuzzy Hash: 090f1406f71ebcfad9a455169695ef7afcdcad1a044e92bd9041f5c84de64999
        • Instruction Fuzzy Hash: 852195B65042006BD310EF65DCC1D6FB3ADEFC4314F08492EFA5593201EA39EA1997B6
        Function 00CCC700 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95COMMON
        Download Yara Rule
        APIs
        • GetLastError.KERNEL32(00000000,?,?), ref: 00CCC704
        • GetLastError.KERNEL32 ref: 00CCC7D3
        • SetLastError.KERNEL32(?), ref: 00CCC7E2
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ErrorLast
        • String ID: Unknown error %d (%#x)
        • API String ID: 1452528299-2414550090
        • Opcode ID: 5ecd3d85efe11aaa4ff7fbe5a119d52454b15bf1c6d9667571e665047178f605
        • Instruction ID: 12bb743c050f33c330a547f4f432aece095c3b0d927b1d29df1c4310230097d9
        • Opcode Fuzzy Hash: 5ecd3d85efe11aaa4ff7fbe5a119d52454b15bf1c6d9667571e665047178f605
        • Instruction Fuzzy Hash: 10219C756002419FD7016B28ECC9F2EB7ACEF95705F040468F909D7261EB35E909DBA6
        Function 00C50F80 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
        Download Yara Rule
        APIs
        • GetSysColor.USER32(0000000F), ref: 00C51057
        • GetSysColor.USER32(00000012), ref: 00C5105E
        • GetSysColor.USER32(0000000F), ref: 00C51065
        • GetSysColor.USER32(00000012), ref: 00C5106C
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Color
        • String ID:
        • API String ID: 2811717613-0
        • Opcode ID: 8e541a448e25df2b85a797a7c5b9d98b0b03138d7b4311a3bca3f343829c8845
        • Instruction ID: 8e25bde1805e1069db5d5459cd54430d892c8ef4a75cfdf54c4cd3e63ad305d6
        • Opcode Fuzzy Hash: 8e541a448e25df2b85a797a7c5b9d98b0b03138d7b4311a3bca3f343829c8845
        • Instruction Fuzzy Hash: FA4118B1904B859FC3A0CF2AC945742FFE4FB49B10F504A2EE1AA87A91D7B1B044CF95
        Function 00C57FD0 Relevance: 6.1, APIs: 4, Instructions: 91threadwindowCOMMON
        Download Yara Rule
        APIs
        • GetCurrentThreadId.KERNEL32 ref: 00C57FD7
        • RtlEnterCriticalSection.NTDLL(00D06BB8), ref: 00C57FEB
        • RtlLeaveCriticalSection.NTDLL(00D06BB8), ref: 00C58004
        • Shell_NotifyIconW.SHELL32(00000002), ref: 00C580B0
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CriticalSection$CurrentEnterIconLeaveNotifyShell_Thread
        • String ID:
        • API String ID: 663708530-0
        • Opcode ID: d3d4a7a2ce11c9d13a31facc221c28ee4b0550e862e1e73a8fe33e69bb90d1ab
        • Instruction ID: 92a9f6d21f69edb9973f94416ac2538041faabb492b6c9cf54e7c5d7cb371f11
        • Opcode Fuzzy Hash: d3d4a7a2ce11c9d13a31facc221c28ee4b0550e862e1e73a8fe33e69bb90d1ab
        • Instruction Fuzzy Hash: A731E03950034A9BD7208F65CC84B5A73A8BF84326F250528ED65E31D0EFB0ED8D8756
        Function 00C6E5C0 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,00000000,00000000,0000008C,00000068,0000089C,00000000,00C56085), ref: 00C68EFB
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00C68F32
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,?,?), ref: 00C68F47
        • FindResourceW.KERNEL32(00000000,?,?,?,?,0000000F,00000000,?,?,ARCHIVE_7Z,0000000A,?,00000010,00000000), ref: 00C6E62E
        • SizeofResource.KERNEL32(00000000,00000000,?,?,0000000F,00000000,?,?,ARCHIVE_7Z,0000000A,?,00000010,00000000), ref: 00C6E650
        • LoadResource.KERNEL32(00000000,00000000,?,?,0000000F,00000000,?,?,ARCHIVE_7Z,0000000A,?,00000010,00000000), ref: 00C6E65A
        • LockResource.KERNEL32(00000000,?,?,0000000F,00000000,?,?,ARCHIVE_7Z,0000000A,?,00000010,00000000), ref: 00C6E665
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Resource$ByteCharMultiWide$FindLoadLockSizeof
        • String ID:
        • API String ID: 1289833662-0
        • Opcode ID: d43e1b7e9d3f69d8ac6613f54b4e8ee706dae1538c4efd2ce5f193d81f4396e6
        • Instruction ID: 259efaf1688a0ee763def0a45511a34f37d9ec2cc2d42aa56976008fd2e2e749
        • Opcode Fuzzy Hash: d43e1b7e9d3f69d8ac6613f54b4e8ee706dae1538c4efd2ce5f193d81f4396e6
        • Instruction Fuzzy Hash: A721B5B6504348AFC220EF65ECC5E2FBBECEB94B14F44091EF54593241DA35EE048A76
        Function 00C690C0 Relevance: 6.1, APIs: 4, Instructions: 69registryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,00000000,00000000,0000008C,00000068,0000089C,00000000,00C56085), ref: 00C68EFB
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00C68F32
        • RegOpenKeyExW.ADVAPI32(?,00000000,00000000,00020019,?,?,00000010,0000000B,05A2C2A1,74DF0F00,00C80F47,00000000), ref: 00C690FC
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,?,?), ref: 00C68F47
        • RegQueryValueExW.ADVAPI32 ref: 00C69140
        • RegCloseKey.ADVAPI32(?), ref: 00C6914F
        • RegCloseKey.ADVAPI32(?,0000000F), ref: 00C6916F
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiWide$Close$OpenQueryValue
        • String ID:
        • API String ID: 3834392745-0
        • Opcode ID: f5331752f8ebce4702681dda32ff0de78d9a5d57e1fa9814072878c4c20c9ec6
        • Instruction ID: 6830af0b07218ac71062cf64e1b631d318a896648aedcd9a04e62668ca70f60d
        • Opcode Fuzzy Hash: f5331752f8ebce4702681dda32ff0de78d9a5d57e1fa9814072878c4c20c9ec6
        • Instruction Fuzzy Hash: 372138B5A04311ABD220EF55DC89B5FB7E8AFC4B14F04891CF54997241E774EA08CBA6
        Function 00C8AFF0 Relevance: 6.1, APIs: 4, Instructions: 68synchronizationwindowCOMMON
        Download Yara Rule
        APIs
        • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00C8B036
        • WaitForSingleObject.KERNEL32(?,00001388,?,00000000,?,00000000,00C8D7A5,05A2C2A1,000000FF,?,?,?), ref: 00C8B071
        • TerminateProcess.KERNEL32(00000000,00000001,?,00000000,?,00000000,00C8D7A5,05A2C2A1,000000FF,?,?,?), ref: 00C8B081
        • WaitForSingleObject.KERNEL32(?,000007D0,?,?,?,?,?,?,?,00000000,00CDFE3F,000000FF,00C8D8B4,74DF0F00,?,00000010), ref: 00C8B08F
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ObjectSingleWait$MessageProcessSendTerminate
        • String ID:
        • API String ID: 2718398898-0
        • Opcode ID: 0690ac939a18ba718f2b5cf4a7c39e754d8c547fe815f169eeb945eaf206a2dd
        • Instruction ID: a4a23ef1452e4c95307758a7ddd77591f4bac86c6463f11a9f80388ead9a11ca
        • Opcode Fuzzy Hash: 0690ac939a18ba718f2b5cf4a7c39e754d8c547fe815f169eeb945eaf206a2dd
        • Instruction Fuzzy Hash: F311C1B1700614ABCB30BB64DCC0F2BB364AF04754F21054AFA60ABB51C761FE819BA9
        Function 00C50640 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: DeleteObject$CursorDestroySelect
        • String ID:
        • API String ID: 3321866220-0
        • Opcode ID: 117b6d16935f9ef6d6e9a0a3e84bd6df71b26bf6740be463751c75766d02efd0
        • Instruction ID: abc05f48ad76ab4ec70bffbbb78aa1e46146dcfcb4492b890288bbece108672a
        • Opcode Fuzzy Hash: 117b6d16935f9ef6d6e9a0a3e84bd6df71b26bf6740be463751c75766d02efd0
        • Instruction Fuzzy Hash: 14219AB4604B10AFD7209F24C945B1BB7E8FF44B10F044A1DBD66D7A80DBB4E9048B64
        Function 00C52C00 Relevance: 6.1, APIs: 4, Instructions: 61memoryCOMMON
        Download Yara Rule
        APIs
        • MultiByteToWideChar.KERNEL32(?,?,00000003,00000000,?,000000FF,00000000,00000000), ref: 00C52C2C
        • SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 00C52C36
        • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,?,00000003,00000000,?,000000FF,00000000,00000000), ref: 00C52C4B
        • SysFreeString.OLEAUT32(00000000), ref: 00C52C52
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiStringWide$AllocFree
        • String ID:
        • API String ID: 447844807-0
        • Opcode ID: b3507dcc44e692b16dd8593d90241f8c5b6b253138bc33a47aa9e6d41cdce15c
        • Instruction ID: 3828205540f4bf62e4604ef6da12d0e52e09f8c68d4db9b18e45d0e3111d1662
        • Opcode Fuzzy Hash: b3507dcc44e692b16dd8593d90241f8c5b6b253138bc33a47aa9e6d41cdce15c
        • Instruction Fuzzy Hash: CD1108762083026BF2109B148C85F1FB7DCDBC5761F20061DFA16562C1DA70A848C668
        Function 00CB9A10 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
        Download Yara Rule
        APIs
        • QueryPerformanceCounter.KERNEL32(00004E2B,00004E2B,?,0000000F,00000000,0000000F,00000000,?,?,?,00CAEC6E,?,00000000,00000000,00000007,00004E2B), ref: 00CB9A25
        • __alldvrm.LIBCMT ref: 00CB9A43
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CB9A63
        • GetTickCount.KERNEL32 ref: 00CB9A75
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CountCounterPerformanceQueryTickUnothrow_t@std@@@__alldvrm__ehfuncinfo$??2@
        • String ID:
        • API String ID: 1296068966-0
        • Opcode ID: a6bfc0952b94768abb2bd1276ac927b92468c12cbb3c06cadbf61e8531b5cacc
        • Instruction ID: f61bca764b343b68965480d13f037301c602bcfac9d9eae7c8a287a88d6266fe
        • Opcode Fuzzy Hash: a6bfc0952b94768abb2bd1276ac927b92468c12cbb3c06cadbf61e8531b5cacc
        • Instruction Fuzzy Hash: EA0161B5A04345AFC718EF14ED49B2BBBECEBC5714F44852EF5498B360D679A804CB60
        Function 00C57200 Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON
        Download Yara Rule
        APIs
        • ShowWindow.USER32(?,00000005), ref: 00C57217
        • Shell_NotifyIconW.SHELL32(00000002,?), ref: 00C57226
        • GetCursorPos.USER32 ref: 00C5725D
        • TrackPopupMenu.USER32(?,00000004,00000000,00000000,00000000,?,00000000), ref: 00C57287
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CursorIconMenuNotifyPopupShell_ShowTrackWindow
        • String ID:
        • API String ID: 665688669-0
        • Opcode ID: 10f4c22bc6a05bf253aaea95545316e991eccd434a2c61f9114e1d66c18078c7
        • Instruction ID: 4ada84af5628266e2aa6792d68ad3120162c10f0395036219b5029d27b2f0a42
        • Opcode Fuzzy Hash: 10f4c22bc6a05bf253aaea95545316e991eccd434a2c61f9114e1d66c18078c7
        • Instruction Fuzzy Hash: AD019679204340AFE710DB68ED89F5B77ECEB94715F008919F99597281D7B0A8088B65
        Function 00C68DE0 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
        Download Yara Rule
        APIs
        • GetDesktopWindow.USER32 ref: 00C68DEA
        • GetClientRect.USER32(00000000), ref: 00C68DF1
        • SystemParametersInfoW.USER32(00000030,00000000,00000000,00000000), ref: 00C68E02
        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000000), ref: 00C68E45
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Window$ClientDesktopInfoParametersRectSystem
        • String ID:
        • API String ID: 3430677559-0
        • Opcode ID: c7a8c31690c1aead06cdc6d92f7bbe41837cc9d345d60020ae6f75ba0003b5e4
        • Instruction ID: c91ce3b7f01fbb255b03a167f47aeaf0e1fe487cf343e63bcfa298922877de36
        • Opcode Fuzzy Hash: c7a8c31690c1aead06cdc6d92f7bbe41837cc9d345d60020ae6f75ba0003b5e4
        • Instruction Fuzzy Hash: A2014FB6300A006FD708DB7CDD59BAF7AEEEBC8611F484A1CB549D71D4EA60E8048661
        Function 00C725C0 Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
        Download Yara Rule
        APIs
        • SHGetPathFromIDListW.SHELL32(?,00D071F0), ref: 00C725D8
        • SendMessageW.USER32(?,00000465,00000000,00000000), ref: 00C725EB
        • SendMessageW.USER32(?,00000467,00000001,?), ref: 00C72614
        • SendMessageW.USER32(?,0000046A,00000001,?), ref: 00C7261F
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: MessageSend$FromListPath
        • String ID:
        • API String ID: 1178215338-0
        • Opcode ID: 11830d78b40571437ee7a3d49cf39a6642811eec129bd0e755a654be4fdc1be4
        • Instruction ID: 1fa44eba27773fa333a1c4e8d980c9a40721bd5c6ddd7a68299687bca73e4019
        • Opcode Fuzzy Hash: 11830d78b40571437ee7a3d49cf39a6642811eec129bd0e755a654be4fdc1be4
        • Instruction Fuzzy Hash: 51F054727463117BD220CB689D89F6FA79CFB89B11F00C909F244EA1C0C7B1E8009A66
        Function 00C80640 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 365COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C68EC0: IsUserAnAdmin.SHELL32 ref: 00C68EC0
        • SetForegroundWindow.USER32(?), ref: 00C8088A
          • Part of subcall function 00C696C0: ShellExecuteExW.SHELL32 ref: 00C6973B
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: AdminExecuteForegroundShellUserWindow
        • String ID: - $Can't launch installation
        • API String ID: 335441542-981529950
        • Opcode ID: a3fa0b08f4bc5209d0427c8dbd78daf1e4c9379bb6998006b9d8dfff86b172d8
        • Instruction ID: dca9d98feee20a0127a96d1ba484bd829b048148a922d76ff74c9c24ae046661
        • Opcode Fuzzy Hash: a3fa0b08f4bc5209d0427c8dbd78daf1e4c9379bb6998006b9d8dfff86b172d8
        • Instruction Fuzzy Hash: 53E1BDB54083C09FD771EB64D881B9BBBE9AF94304F108D2EE2C947242EB759048DB67
        Function 00C5FE50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 162COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID:
        • API String ID: 0-3916222277
        • Opcode ID: d2039309bd37d4aa9a5c7b31129705d081a8177aa6e9a268e530b42d99fda902
        • Instruction ID: 81d406dfbdbd0ad575fad8e630be895692b02ff5ac4f0be65de62a23653e0a3f
        • Opcode Fuzzy Hash: d2039309bd37d4aa9a5c7b31129705d081a8177aa6e9a268e530b42d99fda902
        • Instruction Fuzzy Hash: AB51B0792043019FC328CF84D890F2BB7E5EB85721F60862CF9169B651D770BC8ACBA5
        Function 00C75AB0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 139COMMON
        Download Yara Rule
        APIs
        • GetCurrentProcessId.KERNEL32(05A2C2A1,00000000), ref: 00C75B29
          • Part of subcall function 00CD614D: __onexit.MSVCRT ref: 00CD6155
          • Part of subcall function 00C48CA0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00C48D3A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CurrentIos_base_dtorProcess__onexitstd::ios_base::_
        • String ID: err: $err: ppid=0
        • API String ID: 280058837-150683369
        • Opcode ID: 475a08fbd21f1a937f4171a9a6d7004ac21ea0515fbada9e91ebb8941e18a9d0
        • Instruction ID: 2a65a8c1e7a17fb6db05f0ab144ecb7bea5cf8e3e0c8c4e69611afd65b4d09f3
        • Opcode Fuzzy Hash: 475a08fbd21f1a937f4171a9a6d7004ac21ea0515fbada9e91ebb8941e18a9d0
        • Instruction Fuzzy Hash: F24125B19083409BD725AB29DC86B6F7799EB84314F008B2DF17E8A3D1DB7195049B73
        Function 00C554F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 136COMMON
        Download Yara Rule
        APIs
        • ResetEvent.KERNEL32(?,05A2C2A1), ref: 00C5553A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: EventReset
        • String ID: CREATE_PROCESS$^OK.*?:\d+:(\d+)
        • API String ID: 2632953641-2476907915
        • Opcode ID: d116d0beb882dd27dcb2b4a9d068a65a758982e8c4b581ef1ba3da8f4eb334b9
        • Instruction ID: 5b6cf3f01f1de46f10a2ad0a7095ef1d71a56c0c710fae133895f0dc6d9ca7d9
        • Opcode Fuzzy Hash: d116d0beb882dd27dcb2b4a9d068a65a758982e8c4b581ef1ba3da8f4eb334b9
        • Instruction Fuzzy Hash: D041C275108B809FC324DF28C481B5FB7E5FB88720F604A1DF9A6833D1DB75A5498B96
        Function 00C558B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON
        Download Yara Rule
        APIs
        • ResetEvent.KERNEL32(?,05A2C2A1,?,0000000F,0000000F,00000000), ref: 00C5590D
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: EventReset
        • String ID: WIN7_ADD_FW_RULE$^OK.*
        • API String ID: 2632953641-3882624681
        • Opcode ID: 36e571697890a8f2c7206c372b74b9e89acb0021d4592e4a85b08fb2bc55bd4c
        • Instruction ID: 93d9598fa021a8996bb4e04d456e329c51c715a94a2a555d44ca0f8285cac1cf
        • Opcode Fuzzy Hash: 36e571697890a8f2c7206c372b74b9e89acb0021d4592e4a85b08fb2bc55bd4c
        • Instruction Fuzzy Hash: E541EE795087809BC714DB688451A1FFBE8AB88710F040D1DF5C683382DB79E549DBAB
        Function 00C56B90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132fileCOMMON
        Download Yara Rule
        APIs
        • WriteFile.KERNEL32(?,?,?,?,?,00000001,05A2C2A1), ref: 00C56C6B
        • GetLastError.KERNEL32 ref: 00C56C9E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ErrorFileLastWrite
        • String ID: WriteFile failed:
        • API String ID: 442123175-2416479103
        • Opcode ID: e13316d925183647f1fe376eef432b8bb923c93276d3d257b3b7409f2d2bc0c4
        • Instruction ID: 27549db6646a3b1a4b0fd1f7bde0cdea9b42cd69445eadff42f35d1a6ddda0ba
        • Opcode Fuzzy Hash: e13316d925183647f1fe376eef432b8bb923c93276d3d257b3b7409f2d2bc0c4
        • Instruction Fuzzy Hash: A4418CB56043409FC720EF65C940A5BB7E8FB88705F404A2EF99697241DB70F948CBA6
        Function 00C60390 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125COMMON
        Download Yara Rule
        APIs
        • GetDlgItem.USER32(?,000003E8), ref: 00C603D5
          • Part of subcall function 00C601F0: RtlEnterCriticalSection.NTDLL(00D078D0), ref: 00C601FC
          • Part of subcall function 00C601F0: RegisterClipboardFormatW.USER32(WM_ATLGETHOST), ref: 00C6020D
          • Part of subcall function 00C601F0: RegisterClipboardFormatW.USER32(WM_ATLGETCONTROL), ref: 00C60219
          • Part of subcall function 00C601F0: GetClassInfoExW.USER32(00C30000,AtlAxWin90,?), ref: 00C60240
          • Part of subcall function 00C601F0: LoadCursorW.USER32 ref: 00C6027E
          • Part of subcall function 00C601F0: RegisterClassExW.USER32 ref: 00C602A1
          • Part of subcall function 00C601F0: GetClassInfoExW.USER32(00C30000,AtlAxWinLic90,?), ref: 00C602EA
          • Part of subcall function 00C601F0: LoadCursorW.USER32 ref: 00C60322
          • Part of subcall function 00C601F0: RegisterClassExW.USER32 ref: 00C60345
        Strings
        • Can't fetch IID_IOleObject interface, xrefs: 00C60437
        • Can't create IWebBrowser2 instance, xrefs: 00C60401
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ClassRegister$ClipboardCursorFormatInfoLoad$CriticalEnterItemSection
        • String ID: Can't create IWebBrowser2 instance$Can't fetch IID_IOleObject interface
        • API String ID: 1128274796-2566292147
        • Opcode ID: 4d2be2a1b20ae34d9ba3e1d967b41f8b1eb446abdaf61c25918e823c7704a96e
        • Instruction ID: 13e665c0c6831f5c2e9d2222bbf6ff12d986ff05ed5ebd7495768466d46df22e
        • Opcode Fuzzy Hash: 4d2be2a1b20ae34d9ba3e1d967b41f8b1eb446abdaf61c25918e823c7704a96e
        • Instruction Fuzzy Hash: 4B4125B1208781AFC760DF68C881E6BB7E8BF88704F14492DF659D7291DB74E909CB52
        Function 00C55330 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMON
        Download Yara Rule
        APIs
        • ResetEvent.KERNEL32(?,05A2C2A1,00000000,00000000), ref: 00C55379
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: EventReset
        • String ID: SHELLEXECUTE$^OK.*
        • API String ID: 2632953641-3511153457
        • Opcode ID: 7d7243a00676107b4a3255213f5060dbfc216134003c841ad941f847331366ae
        • Instruction ID: ee532b195d96fe657f45d935ac68a34207a365a2fd16dd65548b93986a955f96
        • Opcode Fuzzy Hash: 7d7243a00676107b4a3255213f5060dbfc216134003c841ad941f847331366ae
        • Instruction Fuzzy Hash: 0541D0B6108B409FC318DF24D851A4FB7E5FB88710F004A2DF5A683391DB35A949CFAA
        Function 00C556F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMON
        Download Yara Rule
        APIs
        • ResetEvent.KERNEL32(?,05A2C2A1,00000000,00000000), ref: 00C55739
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: EventReset
        • String ID: WRITE_HKLM_KEY$^OK.*
        • API String ID: 2632953641-1393937896
        • Opcode ID: 1cd7f8fc12ba00dd5adfe246c2e0e42f168b35fe1ce7959b90d29632020dc09b
        • Instruction ID: 03cc8d15dc1f62a5e64b019957570bb2451aa5ac707d7870b4c0bddbf5d221ee
        • Opcode Fuzzy Hash: 1cd7f8fc12ba00dd5adfe246c2e0e42f168b35fe1ce7959b90d29632020dc09b
        • Instruction Fuzzy Hash: E041DFB6108B409FD318DF24D851A4FB3E5BB88710F004A1DF5A683391DB35A849CFAA
        Function 00C55190 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
        Download Yara Rule
        APIs
        • ResetEvent.KERNEL32(?,05A2C2A1), ref: 00C551D9
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: EventReset
        • String ID: TERMINATE_PROCESS$^OK.*
        • API String ID: 2632953641-2434239159
        • Opcode ID: cfb2d81f7405c704426f7803aa626592821585f71124c64a05063c2c5f853976
        • Instruction ID: 26cd5f86f17f8534436bca841317fd138db32643d981a718a0cdc5046d3da643
        • Opcode Fuzzy Hash: cfb2d81f7405c704426f7803aa626592821585f71124c64a05063c2c5f853976
        • Instruction Fuzzy Hash: 0731C2B61087409FC718DF24D891A5BB7E4FB98710F404A2DF5A6833C1DB359849DFA6
        Function 00C89890 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93threadCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C38FA0: CreateThread.KERNEL32(00000000,00000000,Function_00008B00,00000000), ref: 00C38FDD
        • CreateThread.KERNEL32(00000000,00000000,Function_000594A0,?,00000000,0000000B), ref: 00C899B0
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CreateThread
        • String ID: Fail server command show fusion$fusion-show
        • API String ID: 2422867632-1126247115
        • Opcode ID: c6a33ca8537049840213413b8d4af45711c96a45701adb0507091786d3ad9d0c
        • Instruction ID: a98099bfe3ab2970299b1a6bb3b3c19105968a07dbf4cc6725424ff7445c39f1
        • Opcode Fuzzy Hash: c6a33ca8537049840213413b8d4af45711c96a45701adb0507091786d3ad9d0c
        • Instruction Fuzzy Hash: E831C3B1518380AFD304EF64C885B6BBBE4EB88354F44492DF59643382DB79E808CB57
        Function 00C55050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85synchronizationCOMMON
        Download Yara Rule
        APIs
        • WaitForSingleObject.KERNEL32(?,00001388), ref: 00C55099
        • ResetEvent.KERNEL32(?), ref: 00C55148
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: EventObjectResetSingleWait
        • String ID: ^TERMINATED
        • API String ID: 3162950495-744291783
        • Opcode ID: c0a1ed247dd9d0e8068745d42f1b0a681e215564d9544a1cd7f4c815ecb4eb97
        • Instruction ID: 7d8020f6a568e7eb008e2a252d90fdb924984009b57aa28343e09adefacc51ad
        • Opcode Fuzzy Hash: c0a1ed247dd9d0e8068745d42f1b0a681e215564d9544a1cd7f4c815ecb4eb97
        • Instruction Fuzzy Hash: 8C218971208741AFC700DF59D855B5AB7E8FB88720F104A1DF555877C0DBB5A908CBA2
        Function 00C696C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,00000000,00000000,0000008C,00000068,0000089C,00000000,00C56085), ref: 00C68EFB
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00C68F32
          • Part of subcall function 00C68ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,05A2C2A5,000000FF,?,?), ref: 00C68F47
        • ShellExecuteExW.SHELL32 ref: 00C6973B
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiWide$ExecuteShell
        • String ID: <$L
        • API String ID: 4114931494-1555180027
        • Opcode ID: a7c9bee2a36199b5eb190c8e1ffe6516d59741656c2995b431b0040d2bc56952
        • Instruction ID: be699709d8b8b47e26f8b082b2069a94ea70b3ec359ba2a5ff9b757c4ac1c666
        • Opcode Fuzzy Hash: a7c9bee2a36199b5eb190c8e1ffe6516d59741656c2995b431b0040d2bc56952
        • Instruction Fuzzy Hash: 9A217CB19143009BD210EF19A8C196FF7E8EFD4310F480A1EF59496200E779DA099BA7
        Function 00C72730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
        Download Yara Rule
        APIs
        • FormatMessageW.KERNEL32(00001100,00000000,00000000,00000800,?,00000000,00000000,753C3D70,00000000,?,00C53233), ref: 00C7274D
        • LocalFree.KERNEL32(?,?,?,?,00000000,?,?), ref: 00C727DB
        Strings
        • ormatMessage Native Error, xrefs: 00C72780
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: FormatFreeLocalMessage
        • String ID: ormatMessage Native Error
        • API String ID: 1427518018-327778693
        • Opcode ID: e072d65a48a1aa1d4cf37e54198f70cbab6e4861b880da9d898653d973be6bfc
        • Instruction ID: 8a06786eb97dbbd59b353370bc9f35a63660561395fb4109f6c2b5a27c647024
        • Opcode Fuzzy Hash: e072d65a48a1aa1d4cf37e54198f70cbab6e4861b880da9d898653d973be6bfc
        • Instruction Fuzzy Hash: A7215BB56003029FC728DF68D845B6BB7E5EFC8711F14891DF58ADB390EA70A904C761
        Function 00C6EBA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00C6E8F0: EnumProcesses.PSAPI(?,00001000,?,05A2C2A1,00000000,?,0000000F,00000000,00000000,00CDC67D,000000FF,00C6FD74,00000000,00100001), ref: 00C6E945
        • TerminateProcess.KERNEL32(00000000,00000001,?,05A2C2A1), ref: 00C6EBFF
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: EnumProcessProcessesTerminate
        • String ID: Process is not found$TerminateProcess failed:
        • API String ID: 3965109945-3139234549
        • Opcode ID: 622ba59a8e3ddaa2d36686566bc9f5893765ad4e32d1bc660f542398537a916a
        • Instruction ID: 56acc1363a80b26c916c4734b6c7743045bae02150e2eeda79d6af478deabb32
        • Opcode Fuzzy Hash: 622ba59a8e3ddaa2d36686566bc9f5893765ad4e32d1bc660f542398537a916a
        • Instruction Fuzzy Hash: C22123B5508340AFDB14EB24CC86B4BB7E5AB94708F40492DF55A873D1EBB9D1048BA2
        Function 00C516E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: MessageParentSend
        • String ID: 0
        • API String ID: 928151917-4108050209
        • Opcode ID: fc9ea654d4f5a73d07228488dac5718278a88b26d9b5a9b3c75162ccbb07300c
        • Instruction ID: ca6e8a7f0c23af533e544f3a230a330309075cadbb4dc1122dc989de82a97cd2
        • Opcode Fuzzy Hash: fc9ea654d4f5a73d07228488dac5718278a88b26d9b5a9b3c75162ccbb07300c
        • Instruction Fuzzy Hash: 5701C274508341AFD304DF59C895B5BFBF8AF88744F50891EF998872A0E3B09909CF96
        Function 00C88150 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35threadCOMMON
        Download Yara Rule
        APIs
        • FreeLibrary.KERNEL32(00000000), ref: 00C88196
        • TerminateThread.KERNEL32(?,00000002), ref: 00C881A7
          • Part of subcall function 00C880F0: Sleep.KERNEL32(00000064), ref: 00C8811E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: FreeLibrarySleepTerminateThread
        • String ID: installer aborted
        • API String ID: 3157352780-562507505
        • Opcode ID: 6e1006f38bcdc3d8ef0a188370b05d9f0cdf35fe10f544581bc52d897fd8a62b
        • Instruction ID: 5ab2684287167162fc59e93b33eda5af134445714b2c1361e5af23e6ac4d4363
        • Opcode Fuzzy Hash: 6e1006f38bcdc3d8ef0a188370b05d9f0cdf35fe10f544581bc52d897fd8a62b
        • Instruction Fuzzy Hash: 8901AF30908340AFEB25B774DD4DBDE3BA4AB05709F844409F249C9AE1CFB4B889CB25
        Function 00C76890 Relevance: 5.1, APIs: 4, Instructions: 92stringCOMMON
        Download Yara Rule
        APIs
        • lstrlen.KERNEL32(00000000,?,0000000F,00000000,00000000,00000017,?,?,?,?,0000000F,00000000,00C7464C,00000000,00000000,00000009), ref: 00C768B8
        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,?,?,?,?,0000000F,00000000,00C7464C,00000000,00000000,00000009), ref: 00C768CB
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiWidelstrlen
        • String ID:
        • API String ID: 3109718747-0
        • Opcode ID: f0ec5f573e436722b7af4d8a524a3e52883d6cc39db8b7ea1e6fcf292cd9a6f9
        • Instruction ID: 67626981e960f9b02c1aaa9136a45f1d591d9ebdcc906d1f8011fbdb57370c9e
        • Opcode Fuzzy Hash: f0ec5f573e436722b7af4d8a524a3e52883d6cc39db8b7ea1e6fcf292cd9a6f9
        • Instruction Fuzzy Hash: 1021F172A00A15ABE7209F559C42F6F3BA89F41750F148129FE1DEB240E674DE04C3A6
        Function 00C76990 Relevance: 5.1, APIs: 4, Instructions: 92stringCOMMON
        Download Yara Rule
        APIs
        • lstrlen.KERNEL32(00000000,?,0000000F,00000000,00000000,00000017,?,?,?,?,0000000F,00000000,00C7464C,00000000,00000000,00000009), ref: 00C769B8
        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,?,?,?,?,0000000F,00000000,00C7464C,00000000,00000000,00000009), ref: 00C769CB
        Memory Dump Source
        • Source File: 00000000.00000002.3696955822.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
        • Associated: 00000000.00000002.3696937762.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3696955822.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697088393.0000000000D84000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3697107306.0000000000D85000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiWidelstrlen
        • String ID:
        • API String ID: 3109718747-0
        • Opcode ID: 158121520c04352a9b9b720b34092e3c1c8bb65a5c415d6d9a5d42c997d7670e
        • Instruction ID: a89e412e92f78177a671c6672b69277f6c0dfc535137546c1504935312acd02a
        • Opcode Fuzzy Hash: 158121520c04352a9b9b720b34092e3c1c8bb65a5c415d6d9a5d42c997d7670e
        • Instruction Fuzzy Hash: 3A21EF72A00A15ABD720AF559C41F6F7BA89F407A0F14C129FA0DFB240E734DE00A3A5