Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BrowserUpdate.exe

Overview

General Information

Sample name:BrowserUpdate.exe
Analysis ID:1472046
MD5:696b3679926998b45c806a1068ffcb75
SHA1:87a680e3018d3604eea9b1d28915fac5172f30df
SHA256:393b1fdda7c4af084743c56c27585366567a8446c6438753d20b0b9ee3e72541
Infos:

Detection

MicroClip
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MicroClip
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Query firmware table information (likely to detect VMs)
Switches to a custom stack to bypass stack traces
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Entry point lies outside standard sections
Installs a raw input device (often for capturing keystrokes)
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Process Tree

  • System is w10x64
  • BrowserUpdate.exe (PID: 1220 cmdline: "C:\Users\user\Desktop\BrowserUpdate.exe" MD5: 696B3679926998B45C806A1068FFCB75)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
BrowserUpdate.exeJoeSecurity_MicroClipYara detected MicroClipJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2205746713.00007FF7E2DC8000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_MicroClipYara detected MicroClipJoe Security
      00000000.00000000.2108717389.00007FF7E2DC8000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_MicroClipYara detected MicroClipJoe Security
        Process Memory Space: BrowserUpdate.exe PID: 1220JoeSecurity_MicroClipYara detected MicroClipJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
          Source: BrowserUpdate.exeStatic PE information: certificate valid
          Source: Binary string: MpGear.pdb source: BrowserUpdate.exe
          Source: Binary string: BTR.pdbGCTL source: BrowserUpdate.exe
          Source: Binary string: KSLDriver.pdb source: BrowserUpdate.exe
          Source: Binary string: KSLD.pdb source: BrowserUpdate.exe
          Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release\updater.exe.pdb source: BrowserUpdate.exe
          Source: Binary string: offreg.pdbH source: BrowserUpdate.exe
          Source: Binary string: KSLDriver.pdbGCTL source: BrowserUpdate.exe
          Source: Binary string: MsMpEngCP.pdb source: BrowserUpdate.exe
          Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: BrowserUpdate.exe, 00000000.00000002.2226332115.00007FF7E53C8000.00000080.00000001.01000000.00000003.sdmp, BrowserUpdate.exe, 00000000.00000000.2111947960.00007FF7E5386000.00000080.00000001.01000000.00000003.sdmp
          Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release\updater.exe.pdb0 source: BrowserUpdate.exe
          Source: Binary string: BTR.pdb source: BrowserUpdate.exe
          Source: Binary string: MsMpEngSvc.pdb source: BrowserUpdate.exe
          Source: Binary string: mpengine.pdb source: BrowserUpdate.exe
          Source: Binary string: MsMpEngSvc.pdbGCTL source: BrowserUpdate.exe
          Source: Binary string: offreg.pdb source: BrowserUpdate.exe
          Source: Binary string: KSLD.pdbGCTL source: BrowserUpdate.exe
          Source: Binary string: MsMpEngCP.pdbGCTL source: BrowserUpdate.exe
          Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: BrowserUpdate.exe, 00000000.00000002.2226332115.00007FF7E53C8000.00000080.00000001.01000000.00000003.sdmp, BrowserUpdate.exe, 00000000.00000000.2111947960.00007FF7E5386000.00000080.00000001.01000000.00000003.sdmp
          Source: Binary string: MpGear.pdbGCTL source: BrowserUpdate.exe
          Source: Binary string: mpengine.pdbOGPS source: BrowserUpdate.exe
          Source: unknownDNS traffic detected: query: 15.164.165.52.in-addr.arpa replaycode: Name error (3)
          Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.110
          Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.110
          Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.110
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
          Source: BrowserUpdate.exeString found in binary or memory: http://.css
          Source: BrowserUpdate.exeString found in binary or memory: http://.jpg
          Source: BrowserUpdate.exeString found in binary or memory: http://.ocx.cabhtml:file::LowTelemetry
          Source: BrowserUpdate.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
          Source: BrowserUpdate.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
          Source: BrowserUpdate.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
          Source: BrowserUpdate.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
          Source: BrowserUpdate.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
          Source: BrowserUpdate.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
          Source: BrowserUpdate.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
          Source: BrowserUpdate.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
          Source: BrowserUpdate.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
          Source: BrowserUpdate.exeString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest
          Source: BrowserUpdate.exeString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
          Source: BrowserUpdate.exeString found in binary or memory: http://earth.google.com/kml/2.0
          Source: BrowserUpdate.exeString found in binary or memory: http://earth.google.com/kml/2.1
          Source: BrowserUpdate.exeString found in binary or memory: http://earth.google.com/kml/2.2
          Source: BrowserUpdate.exeString found in binary or memory: http://html4/loose.dtd
          Source: BrowserUpdate.exeString found in binary or memory: http://ocsp.digicert.com0
          Source: BrowserUpdate.exeString found in binary or memory: http://ocsp.digicert.com0A
          Source: BrowserUpdate.exeString found in binary or memory: http://ocsp.digicert.com0C
          Source: BrowserUpdate.exeString found in binary or memory: http://ocsp.digicert.com0X
          Source: BrowserUpdate.exeString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
          Source: BrowserUpdate.exeString found in binary or memory: http://support.google.com/installer/
          Source: BrowserUpdate.exeString found in binary or memory: http://support.google.com/installer/%s?product=%s&error=%d
          Source: BrowserUpdate.exeString found in binary or memory: http://wails.localhost/runtime.WindowReload();msSmartScreenProtection-//ietf//dtd
          Source: BrowserUpdate.exeString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema
          Source: BrowserUpdate.exeString found in binary or memory: http://www.digicert.com/CPS0
          Source: BrowserUpdate.exeString found in binary or memory: http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v2
          Source: BrowserUpdate.exeString found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web
          Source: BrowserUpdate.exeString found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=webreferrerEvalError
          Source: BrowserUpdate.exeString found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtdWarning:
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000496000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.opengis.net/gml
          Source: BrowserUpdate.exeString found in binary or memory: http://www.opengis.net/gml/3.2
          Source: BrowserUpdate.exeString found in binary or memory: http://www.opengis.net/gml/3.3/exr
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000496000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.opengis.net/kml/2.2
          Source: BrowserUpdate.exeString found in binary or memory: http://www.topografix.com/GPX/1/1
          Source: BrowserUpdate.exeString found in binary or memory: https://clients2.google.com/cr/report
          Source: BrowserUpdate.exeString found in binary or memory: https://crashpad.chromium.org/
          Source: BrowserUpdate.exeString found in binary or memory: https://crashpad.chromium.org/bug/new
          Source: BrowserUpdate.exeString found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
          Source: BrowserUpdate.exeString found in binary or memory: https://dl.google.com/update2/installers/icons/
          Source: BrowserUpdate.exeString found in binary or memory: https://github.com/gin-gonic/gin/blob/master/docs/doc.md#dont-trust-all-proxies
          Source: BrowserUpdate.exeString found in binary or memory: https://m.google.com/devicemanagement/data/api
          Source: BrowserUpdate.exeString found in binary or memory: https://pkg.go.dev/github.com/gin-gonic/gin#readme-don-t-trust-all-proxies
          Source: BrowserUpdate.exeString found in binary or memory: https://protobuf.dev/reference/go/faq#namespace-conflict%s%sthis%s
          Source: BrowserUpdate.exeString found in binary or memory: https://update.googleapis.com/service/update2/json
          Source: BrowserUpdate.exeString found in binary or memory: https://update.googleapis.com/service/update2/jsonhttps://clients2.google.com/cr/reporthttps://m.goo
          Source: BrowserUpdate.exeString found in binary or memory: https://www.apple.com/appleca/0
          Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E444F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: GetRawInputDatamemstr_b291d2fe-0
          Source: BrowserUpdate.exeStatic PE information: Resource name: B7 type: 7-zip archive data, version 0.4
          Source: BrowserUpdate.exeStatic PE information: Resource name: BINARY type: PE32+ executable (DLL) (console) x86-64, for MS Windows
          Source: BrowserUpdate.exeStatic PE information: Resource name: BINARY type: PE32+ executable (DLL) (console) x86-64, for MS Windows
          Source: BrowserUpdate.exeStatic PE information: Resource name: RT_STRING type: 0421 Alliant compact executable not stripped
          Source: BrowserUpdate.exeStatic PE information: Resource name: RT_STRING type: PDP-11 executable not stripped
          Source: BrowserUpdate.exeStatic PE information: Resource name: RT_STRING type: PDP-11 separate I&D executable not stripped
          Source: BrowserUpdate.exeStatic PE information: Number of sections : 17 > 10
          Source: BrowserUpdate.exe, 00000000.00000000.2109357931.00007FF7E4903000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMsMpEngCP.exeZ vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E3897000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameupdater.exeH vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E444F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: GetOriginalFileName vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E444F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SetOriginalFileName vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E444F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ENG:OFNSET:SetOriginalFileNameProcess:process:// vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E444F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E444F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameCreatorProcessId<Process ProcessId="%u" ProcessCreationTime="%llu" CreatorProcessId="%u" CreatorProcessCreationTime="%llu" Name="%s" IsExcluded="%u" IsFriendly="%u"> vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E444F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SecondParameterBM_RegistryKeyDeleteBM_RegistryKeyRenameBM_RegistryDeleteValueBM_RegistrySetValueBM_OpenFileBM_DeleteFileBM_RegistryKeyCreateBM_FileMetaDataBM_ProcessCreateBM_RawWriteBM_NetworkDetectionBM_ProcessStartBM_NetworkDataSendBM_NetworkConnectBM_RemoteThreadCreateBM_BootSectorChangeBM_Etw_PsSetLoadImageNotifyRoutineBM_EngineInternalBM_Etw_SetEventHookBM_Etw_TerminateProcessBM_ModuleLoadBM_ArDetectionBM_RegistryBlockDeleteBM_RegistryBlockSetBM_Etw_OpenThreadBM_Etw_OpenProcessBM_Etw_RegisterShutdownBM_Etw_RegisterLastShutdownBM_Etw_NtAdjustPrivilegesBM_Etw_RegisterInputDevicesBM_Etw_WriteMemoryBM_Etw_SetThreadContextBM_RegistryBlockReplaceBM_RegistryBlockRestoreBM_DesktopBM_VolumeMountBM_RegistryRestoreBM_Etw_CreateLinkBM_RegistryBlockRenameBM_RegistryReplaceBM_Etw_SetWindowsHookBM_Etw_BlockExploitBM_CreateFolderBM_Etw_GetAsyncKeyStateBM_BlockOpenProcessBM_OpenProcessBM_Etw_CodeInjectionBM_RegistryBlockCreateBM_EnumFolderBM_Etw_WMIExecMethodBM_Etw_OCTAGON_PROCESS_TOKEN_TAMPERING_ENFORCEBM_RenameFolderBM_Etw_DirEnumBM_Etw_AllocVmLocalBM_Etw_WMIActivityNewBM_Etw_ClearLogBM_Etw_OCTAGON_DANGEROUS_DEVICE_PRESENT_AUDITBM_Etw_OCTAGON_DRIVER_DISPATCH_REDIRECTION_AUDITBM_HardLinkFileBM_Etw_OCTAGON_RUNTIME_CI_FAILURE_AUDITBM_Etw_OCTAGON_DANGEROUS_DEVICE_PRESENT_ENFORCEBM_Etw_OCTAGON_DRIVER_DISPATCH_REDIRECTION_ENFORCEBM_Etw_OCTAGON_PROCESS_TOKEN_TAMPERING_AUDITBM_Etw_OCTAGON_RUNTIME_CI_FAILURE_ENFORCEBM_Etw_CredEnumerateBM_Etw_CredReadCredentialsBM_Etw_CredFindBestCredentialBM_Etw_CredReadDomainCredentialsBM_DLPBM_CopyFileBM_Etw_OCTAGON_PROCESS_TAMPERING_AUDITBM_Etw_OCTAGON_PROCESS_TAMPERING_ENFORCEBM_TaintBM_Etw_VaultGetUniqueCredentialBM_Amsi_MatchBM_Amsi_ScanBM_Etw_CredBackupCredentialsBM_Etw_CredReadByTokenHandleBM_Etw_VaultEnumerateCredentialsBM_Etw_VaultFindCredentialsBM_Etw_LogonFailureBM_Etw_LogonSuccessBM_Etw_AccountPasswordChangedBM_Etw_UserAccountChangedBM_Etw_BITSCreateBM_Etw_LDAPSearchBM_Etw_ScheduledTaskUpdateBM_Etw_ScheduledTaskCreateBM_Etw_ExploitProtectionBM_Etw_UserAccountCreatedBM_Network_VolumeBM_Network_PortOpenBM_Etw_HiveHistoryClearBM_Etw_AccountPasswordResetBM_SignatureTriggerBM_OriginalFileNameBM_Etw_UnloadDriverBM_Etw_LoadDriverBM_Etw_UnloadDeviceBM_Etw_LoadDeviceBM_Etw_ResumeThreadBM_Etw_SuspendThreadBM_Etw_ResumeProcessBM_Etw_SuspendProcessBM_Etw_ServiceHostStartedBM_Etw_ServiceChangeAccountInfoBM_Network_FailureBM_Etw_ServiceStartedBM_Etw_ServiceStopBM_Etw_ProtectVmLocalBM_Etw_ServiceChangeBinaryPathBM_Etw_ServiceChangeStartTypeAL""L"%ls""%hS"BM_Etw_AllocVmRemoteBM_Etw_ProtectVmRemoteBM_Etw_V2CodeInjectionBM_Etw_ReadVmRemoteATTR_%08lxSigSeqThreatName{0, %ls, __attr_none__, %ls, %ls}0x%lXError while processing Event, i.e you're missing an event.Error while processing Event: ID = [%d], HR = [%lx]IsPePlusIsPeFileInfoIsPacked vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E444F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCompanyNameCommentsLegalCopyrightProductNameFileDescriptionLegalTrademarksPeStaticCRC3LengthCRC1IatSkipCRC3CRC2CopyrightCommentsArchitectureTrademarksFileVersionPeStaticsEpSecSectionKCRC2KCRC1KCRC3InternalNameFileDescriptionOriginalFileNamePEUnknownx86ia64x64 vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000000.2109357931.00007FF7E4906000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMsMpEngSvc.dllZ vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000000.2109357931.00007FF7E4906000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamempengine.dllZ vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000000.2109357931.00007FF7E4906000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMpGear.dllZ vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: \Unknown member: doshdr.%spevars not availableUnknown member: pehdr.%sInvalid index in DataDirectory: %dInvalid index in opclog: %dInvalid index in fopclog2: %dInvalid index in epcode: %dInvalid index in fopclog: %dUnknown member: peattributes.%sInvalid section %d or bigger than NumberOfSection=%d!__mmap_ex() failedpe_fofs_to_mofs failed!__mmap_ex(%d) failedmmap_patch(): buffer is emptymmap_patch_buff() failedpe_mofs_to_fofs(%d) failedUfsSeekRead(%d) failedImageName is NULLStringCchCopyA failedFileDescriptionInternalNameCompanyNamepe.get_versioninfo() failed to create the StringVersionIterator: %sInvalid sigattr_head indexpe.vm_search: mask_size != buffer_sizeInvalid index in netmetadata.tokens: %dpe.get_fixedversioninfo() failed to create the StringVersionIterator: %sFileVersionFileTypeFileSubtypeFileDateOriginalFilenameProductVersionFileFlagsMaskFileFlagsFileOSpe.metadata_decode: decode failed for 0x%xInvalid index in v->imps: %dfnrvape.metadata_decode: Invalid field index %d (should be 1-based)9m vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ClearOriginalFileName vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $OFNAllowIdenticalNamesClearOriginalFileName vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: mZOriginalFileNameMaintenanceWindow vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: mZOriginalFileNameMaintenanceWindowprocessed%zd files in Moac, %zd skipped (cached), %zd filename setOriginalFileName Maintenance:HintENG:OFNPROCESSED:) vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .?AVCMaintenanceOriginalFileNameTask@@ vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBTR.sysZ vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameoffreg.dllj% vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameKSLDriver.sysZ vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameKSLD.sysZ vs BrowserUpdate.exe
          Source: BrowserUpdate.exeBinary or memory string: OriginalFilenameupdater.exeH vs BrowserUpdate.exe
          Source: BrowserUpdate.exeBinary or memory string: GetOriginalFileName vs BrowserUpdate.exe
          Source: BrowserUpdate.exeBinary or memory string: SetOriginalFileName vs BrowserUpdate.exe
          Source: BrowserUpdate.exeBinary or memory string: ENG:OFNSET:SetOriginalFileNameProcess:process:// vs BrowserUpdate.exe
          Source: BrowserUpdate.exeBinary or memory string: OriginalFileName vs BrowserUpdate.exe
          Source: BrowserUpdate.exeBinary or memory string: OriginalFileNameCreatorProcessId<Process ProcessId="%u" ProcessCreationTime="%llu" CreatorProcessId="%u" CreatorProcessCreationTime="%llu" Name="%s" IsExcluded="%u" IsFriendly="%u"> vs BrowserUpdate.exe
          Source: BrowserUpdate.exeBinary or memory string: SecondParameterBM_RegistryKeyDeleteBM_RegistryKeyRenameBM_RegistryDeleteValueBM_RegistrySetValueBM_OpenFileBM_DeleteFileBM_RegistryKeyCreateBM_FileMetaDataBM_ProcessCreateBM_RawWriteBM_NetworkDetectionBM_ProcessStartBM_NetworkDataSendBM_NetworkConnectBM_RemoteThreadCreateBM_BootSectorChangeBM_Etw_PsSetLoadImageNotifyRoutineBM_EngineInternalBM_Etw_SetEventHookBM_Etw_TerminateProcessBM_ModuleLoadBM_ArDetectionBM_RegistryBlockDeleteBM_RegistryBlockSetBM_Etw_OpenThreadBM_Etw_OpenProcessBM_Etw_RegisterShutdownBM_Etw_RegisterLastShutdownBM_Etw_NtAdjustPrivilegesBM_Etw_RegisterInputDevicesBM_Etw_WriteMemoryBM_Etw_SetThreadContextBM_RegistryBlockReplaceBM_RegistryBlockRestoreBM_DesktopBM_VolumeMountBM_RegistryRestoreBM_Etw_CreateLinkBM_RegistryBlockRenameBM_RegistryReplaceBM_Etw_SetWindowsHookBM_Etw_BlockExploitBM_CreateFolderBM_Etw_GetAsyncKeyStateBM_BlockOpenProcessBM_OpenProcessBM_Etw_CodeInjectionBM_RegistryBlockCreateBM_EnumFolderBM_Etw_WMIExecMethodBM_Etw_OCTAGON_PROCESS_TOKEN_TAMPERING_ENFORCEBM_RenameFolderBM_Etw_DirEnumBM_Etw_AllocVmLocalBM_Etw_WMIActivityNewBM_Etw_ClearLogBM_Etw_OCTAGON_DANGEROUS_DEVICE_PRESENT_AUDITBM_Etw_OCTAGON_DRIVER_DISPATCH_REDIRECTION_AUDITBM_HardLinkFileBM_Etw_OCTAGON_RUNTIME_CI_FAILURE_AUDITBM_Etw_OCTAGON_DANGEROUS_DEVICE_PRESENT_ENFORCEBM_Etw_OCTAGON_DRIVER_DISPATCH_REDIRECTION_ENFORCEBM_Etw_OCTAGON_PROCESS_TOKEN_TAMPERING_AUDITBM_Etw_OCTAGON_RUNTIME_CI_FAILURE_ENFORCEBM_Etw_CredEnumerateBM_Etw_CredReadCredentialsBM_Etw_CredFindBestCredentialBM_Etw_CredReadDomainCredentialsBM_DLPBM_CopyFileBM_Etw_OCTAGON_PROCESS_TAMPERING_AUDITBM_Etw_OCTAGON_PROCESS_TAMPERING_ENFORCEBM_TaintBM_Etw_VaultGetUniqueCredentialBM_Amsi_MatchBM_Amsi_ScanBM_Etw_CredBackupCredentialsBM_Etw_CredReadByTokenHandleBM_Etw_VaultEnumerateCredentialsBM_Etw_VaultFindCredentialsBM_Etw_LogonFailureBM_Etw_LogonSuccessBM_Etw_AccountPasswordChangedBM_Etw_UserAccountChangedBM_Etw_BITSCreateBM_Etw_LDAPSearchBM_Etw_ScheduledTaskUpdateBM_Etw_ScheduledTaskCreateBM_Etw_ExploitProtectionBM_Etw_UserAccountCreatedBM_Network_VolumeBM_Network_PortOpenBM_Etw_HiveHistoryClearBM_Etw_AccountPasswordResetBM_SignatureTriggerBM_OriginalFileNameBM_Etw_UnloadDriverBM_Etw_LoadDriverBM_Etw_UnloadDeviceBM_Etw_LoadDeviceBM_Etw_ResumeThreadBM_Etw_SuspendThreadBM_Etw_ResumeProcessBM_Etw_SuspendProcessBM_Etw_ServiceHostStartedBM_Etw_ServiceChangeAccountInfoBM_Network_FailureBM_Etw_ServiceStartedBM_Etw_ServiceStopBM_Etw_ProtectVmLocalBM_Etw_ServiceChangeBinaryPathBM_Etw_ServiceChangeStartTypeAL""L"%ls""%hS"BM_Etw_AllocVmRemoteBM_Etw_ProtectVmRemoteBM_Etw_V2CodeInjectionBM_Etw_ReadVmRemoteATTR_%08lxSigSeqThreatName{0, %ls, __attr_none__, %ls, %ls}0x%lXError while processing Event, i.e you're missing an event.Error while processing Event: ID = [%d], HR = [%lx]IsPePlusIsPeFileInfoIsPacked vs BrowserUpdate.exe
          Source: BrowserUpdate.exeBinary or memory string: OriginalFilenameCompanyNameCommentsLegalCopyrightProductNameFileDescriptionLegalTrademarksPeStaticCRC3LengthCRC1IatSkipCRC3CRC2CopyrightCommentsArchitectureTrademarksFileVersionPeStaticsEpSecSectionKCRC2KCRC1KCRC3InternalNameFileDescriptionOriginalFileNamePEUnknownx86ia64x64 vs BrowserUpdate.exe
          Source: BrowserUpdate.exeBinary or memory string: OriginalFilename vs BrowserUpdate.exe
          Source: BrowserUpdate.exeBinary or memory string: \Unknown member: doshdr.%spevars not availableUnknown member: pehdr.%sInvalid index in DataDirectory: %dInvalid index in opclog: %dInvalid index in fopclog2: %dInvalid index in epcode: %dInvalid index in fopclog: %dUnknown member: peattributes.%sInvalid section %d or bigger than NumberOfSection=%d!__mmap_ex() failedpe_fofs_to_mofs failed!__mmap_ex(%d) failedmmap_patch(): buffer is emptymmap_patch_buff() failedpe_mofs_to_fofs(%d) failedUfsSeekRead(%d) failedImageName is NULLStringCchCopyA failedFileDescriptionInternalNameCompanyNamepe.get_versioninfo() failed to create the StringVersionIterator: %sInvalid sigattr_head indexpe.vm_search: mask_size != buffer_sizeInvalid index in netmetadata.tokens: %dpe.get_fixedversioninfo() failed to create the StringVersionIterator: %sFileVersionFileTypeFileSubtypeFileDateOriginalFilenameProductVersionFileFlagsMaskFileFlagsFileOSpe.metadata_decode: decode failed for 0x%xInvalid index in v->imps: %dfnrvape.metadata_decode: Invalid field index %d (should be 1-based)9m vs BrowserUpdate.exe
          Source: BrowserUpdate.exeBinary or memory string: ClearOriginalFileName vs BrowserUpdate.exe
          Source: BrowserUpdate.exeBinary or memory string: $OFNAllowIdenticalNamesClearOriginalFileName vs BrowserUpdate.exe
          Source: BrowserUpdate.exeBinary or memory string: mZOriginalFileNameMaintenanceWindow vs BrowserUpdate.exe
          Source: BrowserUpdate.exeBinary or memory string: mZOriginalFileNameMaintenanceWindowprocessed%zd files in Moac, %zd skipped (cached), %zd filename setOriginalFileName Maintenance:HintENG:OFNPROCESSED:) vs BrowserUpdate.exe
          Source: BrowserUpdate.exeBinary or memory string: .?AVCMaintenanceOriginalFileNameTask@@ vs BrowserUpdate.exe
          Source: BrowserUpdate.exeBinary or memory string: OriginalFilenameBTR.sysZ vs BrowserUpdate.exe
          Source: BrowserUpdate.exeBinary or memory string: OriginalFilenameoffreg.dllj% vs BrowserUpdate.exe
          Source: BrowserUpdate.exeBinary or memory string: OriginalFilenameKSLDriver.sysZ vs BrowserUpdate.exe
          Source: BrowserUpdate.exeBinary or memory string: OriginalFilenameKSLD.sysZ vs BrowserUpdate.exe
          Source: BrowserUpdate.exeBinary or memory string: OriginalFilenameMsMpEngCP.exeZ vs BrowserUpdate.exe
          Source: BrowserUpdate.exeBinary or memory string: OriginalFilenameMsMpEngSvc.dllZ vs BrowserUpdate.exe
          Source: BrowserUpdate.exeBinary or memory string: OriginalFilenamempengine.dllZ vs BrowserUpdate.exe
          Source: BrowserUpdate.exeBinary or memory string: OriginalFilenameMpGear.dllZ vs BrowserUpdate.exe
          Source: BrowserUpdate.exeStatic PE information: Section: .reloc ZLIB complexity 1.5
          Source: BrowserUpdate.exeBinary string: C\device\
          Source: BrowserUpdate.exeBinary string: \Enum\SecurityMmCopyMemoryHalGetBusDataByOffsetDeviceNameVersion\Device\\DosDevices\AllowedProcessNameImagePathExistingPageFilesPagingFiles\Session Manager\Memory Management\??\ \device\physicalmemoryKslDriver -- LPC Vendor id = 0x%0x, Device id = 0x%0x BaseClass= 0x%x status= 0x%x PhysAddr= %x PhysEnd= %x Pa2= %x PaEnd2= %x
          Source: BrowserUpdate.exeBinary string: m\Device\Harddisk%lu\Partition0\DR\Device\Harddisk%lu\Partition%luMpBootRecordCleanStoreSimulationModeMpDisableBootRecordCleanStore
          Source: BrowserUpdate.exeBinary string: \Device\HarddiskDmProfileImagePathS-1-5-18\ntuser.datSoftware\Microsoft\Windows NT\CurrentVersion\ProfileList\Device\HarddiskVolume\AppData\Local\VirtualStore%%%ls%%%WINDIR%\system32\driversS-1-5-20S-1-5-19.DEFAULT%Default%%AllUsersProfile%%DefaultUserProfile%\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\hivelistSYSTEM\CurrentControlSet\Control\Session Manager\EnvironmentSYSTEM\CurrentControlSet\Control\Session Manager\SFCSoftware\Microsoft\Windows\CurrentVersionUSER\MACHINE\SELECT 1 FROM SQLITE_MASTER WHERE type=? AND name=? LIMIT 1;create BEGIN IMMEDIATE;COMMIT;INSERT INTO FileHashes(Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n) VALUES(?, ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?);CRE%!.15g:
          Source: BrowserUpdate.exeBinary string: \device\harddisk*Processing new exclusion list (ID=%ld)Defender_Engine_Global_Exclusions_UpdatedFinished processing new exclusion list (ID=%ld)\\.\globalroot\\\localhost\\\?\UNC\localhost\\\localhost
          Source: BrowserUpdate.exeBinary string: MmCopyMemory\device\physicalmemoryeaxebxecxedxebpesiediespcsdsesfsgssscr0cr2cr3cr4gdtridtrldtrtrdeviceeflagspcountsysentrdebugramsize
          Source: BrowserUpdate.exeBinary string: \Device\
          Source: BrowserUpdate.exeBinary string: :\.GPgk+)z'^(Message.%zu)(Message.%zu: %hs - %hs)No subject0123456789ABCDEFescape() is not a constructor%PATH%PE_VIRTUALIZER_ipc$\Device\WebDavRedirector\\Device\Mup\\Device\LanmanRedirector\\Device\WinDfs\\Device\vmsmb\DAA
          Source: BrowserUpdate.exeBinary string: \\.\vfz\%pMpDisableSkipPlaceholderFilesMpDisableScanReparsePointsOfflineFilesMpDisableLastAccessTimeUpdate\device\harddiskvolumeMpDisableRegkeyInlineScriptScanning\Windows\TypeImagePathsvchost\PARAMETERS\\SERVICEDLLHKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\.lnkMICROSOFT PIFEX
          Source: BrowserUpdate.exeBinary string: S\Device\CdRom\Device\HarddiskVolumeDisk\Device\`%
          Source: BrowserUpdate.exeBinary string: IRP_MJ_MAXIMUM_FUNCTIONIRP_MJ_PNPIRP_MJ_PNP_POWERIRP_MJ_QUERY_QUOTAIRP_MJ_SET_QUOTAIRP_MJ_SYSTEM_CONTROLIRP_MJ_DEVICE_CHANGEIRP_MJ_SET_SECURITYIRP_MJ_POWERIRP_MJ_CREATE_MAILSLOTIRP_MJ_QUERY_SECURITYIRP_MJ_LOCK_CONTROLIRP_MJ_CLEANUPIRP_MJ_INTERNAL_DEVICE_CONTROLIRP_MJ_SHUTDOWNIRP_MJ_FILE_SYSTEM_CONTROLIRP_MJ_DEVICE_CONTROLIRP_MJ_SET_VOLUME_INFORMATIONIRP_MJ_DIRECTORY_CONTROLIRP_MJ_FLUSH_BUFFERSIRP_MJ_QUERY_VOLUME_INFORMATIONIRP_MJ_QUERY_EAIRP_MJ_SET_EAIRP_MJ_QUERY_INFORMATIONIRP_MJ_SET_INFORMATIONIRP_MJ_READIRP_MJ_WRITEIRP_MJ_CREATE_NAMED_PIPEIRP_MJ_CLOSEIRP_MJ_CREATE\Device\HardDisk%1!d!\Partition0Alureon[
          Source: BrowserUpdate.exeBinary string: 7zXZ\SystemRoot\Device\0123456789ABCDEF0123456789abcdefpea_epscn_islastpea_epcallnextpea_secmissizepea_epatstartlastsectpea_entrybyte60pea_entrybyte90pea_epiniatpea_usesuninitializedregspea_prefetchtrickspea_issuspiciouspea_isgenericpea_isreportedpea_aggressiveimportpea_enable_binlibpea_enable_lshashpea_many_importspea_self_modifying_codepea_track_direct_importspea_detects_vmpea_detects_vmwarepea_detects_virtualpcpea_is_delphipea_uses_single_steppingpea_uses_bound_exceptionspea_uses_div_by_zeropea_uses_int_overflowpea_uses_invalid_opcodespea_uses_unusual_breakpointpea_checks_if_debugged_documentedpea_disable_io_redirectionpea_suspicious_rebasepea_disable_drop_mz_onlypea_suspicious_stack_geometrypea_suspicious_subsystempea_suspicious_timestamppea_suspicious_valignpea_suspicious_section_fsizepea_suspicious_section_characteristicspea_aggressive_trim_wspea_16bitmachinepea_system_filepea_suspicious_number_of_dirspea_force_unpackingpea_extended_pestaticpea_small_data_directory_countpea_multiple_relocs_same_locationpea_relocs_but_no_relocs_flagpea_suspicious_imagebasepea_no_section_tablepea_no_sectionspea_many_sectionspea_suspicious_image_sizepea_bound_imports_inside_imagepea_delay_load_imports_inside_imagepea_entrypoint_in_import_tablepea_entrypoint_in_headerpea_import_via_tlspea_epsec_not_executablepea_othermachine_imagepea_checks_teb_lasterrorpea_disable_vmprotectpea_checks_teb_laststatuspea_disable_thread_apicall_limitpea_deep_apicall_limitpea_dynmem_uses_div_by_zeropea_dynmem_uses_int_overflowpea_dynmem_uses_bound_exceptionspea_dynmem_uses_privinstrpea_dynmem_uses_breakpointspea_dynmem_uses_single_steppingpea_dynmem_uses_invalid_opcodespea_dynmem_uses_unusual_breakpointpea_dynmem_detects_vmpea_dynmem_detects_vmwarepea_dynmem_detects_virtualpcpea_dynmem_checks_if_debugged_docpea_dynmem_checks_if_debugged_undocpea_dynmem_kernel_scanpea_dynmem_self_modifying_codepea_dt_continue_after_unpackingpea_dt_continue_after_unpacking_damagedpea_loop_jmp_chainpea_droppedpea_reads_vdll_codepea_dynmem_reads_vdll_codepea_verbose_vdll_readspea_scan_internal_datapea_isvbpcodepea_ARM_legacypea_ARM_big_endianpea_ARM_unpredictablepea_isappcontainerpea_checks_ntglobalflagpea_dynmem_checks_ntglobalflagpea_dynmem_checks_processheappea_dt_error_heur_exit_criteriapea_dt_error_too_many_prefixespea_dt_error_invalid_opcodepea_dt_error_too_many_operandspea_dt_error_bb_limitpea_dt_error_loop_too_complexpea_executes_from_last_sectionpea_executes_from_resourcespea_memory_patchedpea_uses_sysenterpea_suspicious_resource_directory_sizepea_suspicious_import_directory_sizepea_invalid_ilt_entrypea_dmg_machinepea_dmg_filealignmentpea_dmg_pointertorawdatapea_dmg_virtualaddresspea_dmg_truncatedpea_dmg_special_sectionpea_dmg_relocationspea_dmg_overlapping_sectionspea_dmg_optional_magicpea_dmg_sizeofheaderspea_dmg_imagebasepea_dmg_imagesizepea_dmg_unsupportedpea_dmg_importspea_dmg_invaliddatapea_dmg_decompresspea_dmg_virtualsizepea_dmg_not_executable_imagepea_dmg_entrypointpea_inv_sizeofoptio
          Source: BrowserUpdate.exeBinary string: \Device\Harddisk%lu\\.\MountPointManager
          Source: BrowserUpdate.exeBinary string: ,Partition\Device\Harddisk
          Source: BrowserUpdate.exeBinary string: MpDisableDirectedScanExtendedLatentScan\Device\HarddiskVolumecaller
          Source: BrowserUpdate.exeBinary string: \Device\HarddiskPartitionPACKEDBINARY.%016llX
          Source: BrowserUpdate.exeBinary or memory string: *GraLOH.vbp7hVA3
          Source: BrowserUpdate.exeBinary or memory string: *[]GraLOH.vbp7hVA3
          Source: classification engineClassification label: mal84.troj.evad.winEXE@1/0@1/1
          Source: C:\Users\user\Desktop\BrowserUpdate.exeFile opened: C:\Windows\system32\666d41a7b4f4c851e6ab055a75eddf8d06d59c7d7c7e2f1aafbc9dab4cbf23a1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E444F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT 1 FROM SQLITE_MASTER WHERE type=? AND name=? LIMIT 1;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO FileLowFiAsync(Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp) VALUES(?, ? , ? , ? , ? , ?);
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT ID FROM ProcessBlockHistory WHERE ProcessPath = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO AnomalyInfo(Key, UnbiasedTime) VALUES (?, ?);
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(13, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Count(1) FROM AutoFeatureControl;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT DISTINCT TableName FROM AnomalyTables;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Key FROM FileHashes WHERE FileHashes.Key = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Count(1) FROM RansomwareDetections;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Count(1) FROM NetworkIpFirewallRules;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO RollingQueuesValues(EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E444F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n FROM FileHashes WHERE Key = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT COUNT(1) FROM FileLowFiAsync;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT ID from RecordIdentifier WHERE Key = ? AND RecordTimeStamp = ? ;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Count(1) FROM SystemFileCache WHERE CleanFileShaHash = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(6, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(14, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E444F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT ID FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ? ORDER BY TimeStamp DESC;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE RuleId = ? ORDER BY TimeStamp DESC;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(4, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E444F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Key, Name, Capacity, TimeToLive, Mode FROM RollingQueuesTables WHERE Key = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO BmFileStartupActions(FilePathHash, FilePath, ActionFlags, ProcessStartCount, FdrFlags, FdrThreatRecordId, EvaluatorThreatRecordId, TrustedInstallerThreatRecordId, LFRThreatRecordId) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO BmFileActions(FileInfoId, ThreatRecordId, Action) VALUES (?, ?, ?);
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(5, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Key, Name, Count, InsertTime, ExpireTime, UpdateTime, ScalarFactor, LinearFactor, DecayInterval, HighCount, LastDecayTime FROM AtomicCounters WHERE Key = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT ID FROM FolderGuardPaths WHERE UserIdHash = ? LIMIT 1;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO RansomwareDetections(Key, DetectionGuid, LkgTS, NextUSN, DetectionTS, ProvisionalRemedComplTS, RemedComplTS, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?);
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(12, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT CleanFileSha, CleanFileShaHash FROM SystemFileCache WHERE InstanceTimeStamp < ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT PersistId, PersistIdBlob, ExpirationDate FROM AmsiFileCache WHERE ExpirationDate < DateTime(?);
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO DynSigRevisions(Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Key, RecordTimeStamp, Generation FROM RecordIdentifier WHERE RecordIdentifier.ID IN (SELECT FileInstance.RecordID from FileInstance WHERE FileInstance.ParentRecordID = ? );
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT RuleAction, RuleId, IsAudit, IsInherited, State FROM BmHipsRuleInfo WHERE ProcessInfoId = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Key, FirewallRuleName, ExpiryTime FROM NetworkIpFirewallRules WHERE ExpiryTime < ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Count(1) FROM SystemFileCache;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC LIMIT 1;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO BmFileInfo(NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Count(1) FROM SdnEx;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(3, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO FileInstance(InstanceTimeStamp, RecordID, ScanID, TrackingEnabled, StorageEvent, StorageEventState, ModificationsCount, ParentRecordID, Parent_FileEvent, Parent_FileName, Parent_ProcessID, Remote_ProcessID, FileID, FileName, USN, CreateTime, LastAccessTime, LastWriteTime, Signer, SignerHash, Issuer, SigningTime, MOTW, MOTWFromParent,IsValidCert, CertInvalidDetails, IsCatalogSigned) VALUES(?, ? , ?, ?, ?, ? , ? , ? , ? , ? , ?, ?, ?, ?, ?, ? , ? , ? , ? , ? , ?, ?, ?, ?, ?, ?, ?);
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime FROM RollingQueuesValues WHERE EntryTable = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO AtomicCounters(Key, Name, Count, InsertTime, ExpireTime, UpdateTime, ScalarFactor, LinearFactor, DecayInterval, HighCount, LastDecayTime) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?);
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Version, Current, LastUpdated FROM SQLiteGlobals WHERE Current = 1 ORDER BY Version DESC ;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT ID FROM AmsiFileCache WHERE AmsiFileCache.PersistId = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO AttributeCounts(Key, Name, Count, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(28, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO AttributePersistContext(Key, FilePath, Context, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE AtomicCounters SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ?, UpdateTime = ?, ScalarFactor = ?, LinearFactor = ?, DecayInterval = ?, HighCount = ?, LastDecayTime = ?, WHERE Key = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT ID from File WHERE SHA1 = ? ;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO ScanInfo(SigSeq, PersistSigSeq, ProgenitorPersistSigSeq, ScanAgent, NamedAttributes, PeAttributes, SigAttrEvents, ScanReason, WebURL, EngineID, SigSha) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? );
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT COUNT(DISTINCT ProcessPath) FROM ProcessBlockHistory;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT ID FROM Engine WHERE EngineVersion = ? AND SigVersion = ? ;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO AmsiFileCache(PersistId, PersistIdBlob, ExpirationDate) VALUES (?, ?, DateTime('now', ?));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E444F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT COUNT(1) FROM AttributePersistContext;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Count(1) FROM SystemRegistryCache;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(24, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT ID, NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(11, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO RansomwareDetections(Key, DetectionGuid, LkgTS, NextUSN, DetectionTS, ProvisionalRemedComplTS, RemedComplTS, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM RansomwareDetections WHERE InstanceTimeStamp < ?; SELECT Count(1) FROM RansomwareDetections;DELETE FROM RansomwareDetections WHERE Key = ?;SELECT DetectionGuid, LkgTS, NextUSN, DetectionTS, ProvisionalRemedComplTS, RemedComplTS, ImpactedCBPNameSpaces FROM RansomwareDetections WHERE Key = ?;SELECT ID FROM RansomwareDetections WHERE Key = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(31, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT ID FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO BmFileStartupActions(FilePathHash, FilePath, ActionFlags, ProcessStartCount, FdrFlags, FdrThreatRecordId, EvaluatorThreatRecordId, TrustedInstallerThreatRecordId, LFRThreatRecordId) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM BmFileStartupActions WHERE BmFileStartupActions.FilePathHash = ?;SELECT Count(1) FROM BmFileStartupActions;SELECT ID FROM BmFileStartupActions WHERE BmFileStartupActions.FilePathHash = ?;SELECT FilePathHash, FilePath, ActionFlags, ProcessStartCount, FdrFlags, FdrThreatRecordId, EvaluatorThreatRecordId, TrustedInstallerThreatRecordId, LFRThreatRecordId FROM BmFileStartupActions WHERE FilePathHash = ?|
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT InfectedFileSHA, ProcFileId, SystemFilePath, CleanFileSha FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ? ORDER BY InstanceTimeStamp DESC;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE RuleId = ? ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ? ORDER BY TimeStamp DESC;SELECT COUNT(DISTINCT ProcessPath) FROM ProcessBlockHistory;DELETE FROM ProcessBlockHistory;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory WHERE RuleId = ? GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC LIMIT 1;DELETE FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ?;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;SELECT ID FROM ProcessBlockHistory WHERE ProcessPath = ?;SELECT COUNT(1) FROM ProcessBlockHistory;DELETE FROM ProcessBlockHistory WHERE TimeStamp < ?;REPLACE INTO ProcessBlockHistory(ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity) VALUES (?, ?, ?, ?, ?, ?, ?, ?);SELECT ProcessPath, TimeStamp FROM ProcessBlockHistory ORDER BY TimeStamp ASC LIMIT 1[3
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Key FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?; DELETE FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?; SELECT Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp FROM FileLowFiAsync WHERE Key = ?; DELETE FROM FileLowFiAsync WHERE InstanceTimeStamp < ?; SELECT COUNT(1) FROM FileLowFiAsync; INSERT INTO FileLowFiAsync(Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp) VALUES(?, ? , ? , ? , ? , ?);
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT ID FROM AutoFeatureControl WHERE AutoFeatureControl.Key = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO AnomalyTables(Key, TableKey, TableName, KeyName, FirstSeen, LastSeen, UnbiasedMinutes, Value, Order_) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ?);
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO SystemFileCache(InfectedFileSHAHash, InfectedFileSHA, ProcFileIDSystemFileHash, ProcFileId, SystemFilePath, CleanFileSha, CleanFileShaHash, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?);
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(16, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(8, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(26, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Key, TableKey, TableName, KeyName, FirstSeen, LastSeen, UnbiasedMinutes, Value, Order_ FROM AnomalyTables WHERE AnomalyTables.TableKey = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT COUNT(1) FROM AnomalyTables;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Count(DISTINCT UserIdHash) FROM FolderGuardPaths;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT ID, PPIDHash, ProcessStartTime, PID, StructVersion, ImageFileName, MonitoringFlags_Flags, MonitoringFlags_VmHardenType, MonitoringFlags_ExemptVmHardenedTypes, CommandLineArgs, HipsInjectionId, FolderGuardId, Flags, LsassReadMemId, MonitoringFlags_Flags2Low, MonitoringFlags_Flags2High FROM BmProcessInfo WHERE PPIDHash = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO AutoFeatureControl(Key, CurrCount, MaxCount, InstanceTimeStamp) VALUES (?, ?, ?, ?);
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Key FROM AtomicCounters ORDER BY InsertTime ASC LIMIT 1;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT ID, NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;INSERT INTO BmFileActions(FileInfoId, ThreatRecordId, Action) VALUES (?, ?, ?);SELECT ThreatRecordId, Action FROM BmFileActions WHERE FileInfoId == ?;INSERT INTO BmFileInfo(NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;DELETE FROM BmFileActions;DELETE FROM BmFileInfo;SELECT ID FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;SELECT Count(1) FROM BmFileInfo;B
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(20, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT PersistId, PersistIdBlob, ExpirationDate FROM AmsiFileCache WHERE PersistId = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Key FROM AtomicCounters WHERE AtomicCounters.Key = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(18, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT ID FROM BmProcessInfo WHERE PPIDHash = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT COUNT(1) FROM AnomalyInfo;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT ValueMapArrayBlob FROM ValueMapArray WHERE Key = ? AND RecordType = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT ID FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Key FROM AttributeCounts WHERE AttributeCounts.Key = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E444F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Key, FilePath, Context, InsertTime, ExpireTime FROM AttributePersistContext WHERE Key = ?; SELECT COUNT(1) FROM AttributePersistContext; MpFileStashMaxSizeMpOplocksInSpynetFileSizeLimitMpDisableValidateTrustUseInternalCertFormatMpDisableOSXValidateTrustMpValidateTrustMSIMaxOverlayMpDisableValidateTrustAllowBadCertDirectory%WINDIR%\System32\catroot2%WINDIR%\System32\CatRootMpDisableValidateTrustInternalMachOInfinite loop detected (more that %d instructions executed)PE_SUCCESSPE_END_ENUMERATIONPE_NOMEMORYPE_OVERLAPPINGPE_READPE_WRITEPE_FILEPE_DECOMPRESS_ERRORPE_NOTIMPLEMENTEDPE_UNSUPPORTED_MACHINE_ARCHITECTUREPE_INVALID_SIZEOFOPTIONALHEADERPE_INVALID_OPTIONAL_MAGICPE_INVALID_SIZEOFIMAGEPE_INVALID_IMAGEBASEPE_INVALID_SECTIONALIGNMENTPE_INVALID_FILEALIGNMENTPE_INVALID_DOS_SIGNATUREPE_INVALID_E_LFANEWPE_INVALID_NT_SIGNATUREPE_INVALID_SIZEOFHEADERSPE_INVALID_ARGUMENTSPE_INVALID_VIRTUALSIZEPE_INVALID_VIRTUALADDRESSPE_INVALID_RAWOFFSETPE_INVALID_RAWSIZEPE_INVALID_RVAPE_INVALID_EXPORTSPE_INVALID_DATAPE_ERROR_RESERVEDMpMaxPeExportsInCoreReportsMpMapsHeartbeatDistributionIntervalMpRemediationCheckpointLiveDelayMpMaxSpynetReportsMpMapsHeartbeatDelayOnDetectionMpEnableFriendlyCloudCheckMpDisableMDMPolicyChecksMpHeartbeatControlGroupMpDisableMpsigstubErrorMapsHeartbeatMpDisableExclusionsMapsHeartbeatMpDisableMapsDisableMapsHeartbeatMpDisablePaidEnhancedMapsHeartbeatMpDisableEnhancedMapsHeartbeatMpUrlReputationTimeoutMpMaxRtsdBatchSizeMpEnhancedMapsHeartbeatRateMpDisableRtpChangeMapsHeartbeatMpDisableUninstallMapsHeartbeatMpMapsHeartbeatDelayMpEnableUefiEnumerationInHeartBeatMpDisableUrlReputationMapsMpDisableErrorMapsHeartbeatMpMaxNetworkConnectionReportsInSpynetMpMapsHeartbeatDetectionIntervalMpDisableCachingSampleSubmittedShasMpDisableRemediationCheckpointsMpRemediationCheckpointTimeoutMpSampleSubmissionSizeLimitMpPaidEnhancedMapsHeartbeatDelayMpDisableSetupErrorMapsHeartbeatMpDisableOplocksInSpynetMpMapsHeartbeatRateMpEnhancedMapsHeartbeatDelayMpMaxRtsdCountMpDisablePersistScanHandleOnThreatNotFoundMpDisableAdvSSAndFallbackToWatsonMpDisableSenseHeartbeatEtwMpDisableNetworkInfoInHeartbeatMpDisableRemediationFailTelemetryMpFirmwareEnvironmentVariableQueriesMpDisableDefenderDisableMapsHeartbeatMpDisableTestErrorMapsHeartbeatMpDisableOfflineEnhancedMapsHeartbeatMpOfflineEnhancedMapsHeartbeatRateMpDisableDnsCacheSubmissionWithNRICacheMpOfflineEnhancedMapsHeartbeatDelayMpDisableUrlReputationMapsCachet
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Key FROM AttributeCounts ORDER BY InsertTime ASC LIMIT 1;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory WHERE RuleId = ? GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Key FROM ValueMapArray WHERE ValueMapArray.Key = ? AND ValueMapArray.RecordType = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(21, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Count(1) FROM BmFileInfo;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT COUNT(1) FROM AtomicCounters;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT ThreatRecordId, Action FROM BmFileActions WHERE FileInfoId == ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(17, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO BmHipsRuleInfo(ProcessInfoId, RuleAction, RuleId, IsAudit, IsInherited, State) VALUES (?, ?, ?, ?, ?, ?);
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE AttributePersistContext SET FilePath = ?, Context = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO ProcessInfo(FileName, ProcessId, CommandLine, StartTime, TokenElevation, TokenElevationType, IntegrityLevel) VALUES(? , ? , ? , ? , ? , ? , ? );
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Key, RecordTimeStamp, Generation FROM RecordIdentifier WHERE ID = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(32, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Key FROM AttributePersistContext WHERE AttributePersistContext.Key = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(19, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT ID FROM NetworkIpFirewallRules WHERE NetworkIpFirewallRules.Key = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO BackupProcessInfo(Key, FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?);
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(22, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT ID FROM RansomwareDetections WHERE Key = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT ID FROM SdnEx WHERE SdnEx.Key = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(32, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(29, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT ID FROM SystemRegistryCache WHERE Key = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT COUNT(1) FROM AttributeCounts;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Count(1) FROM AmsiFileCache;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Key FROM AnomalyTables WHERE AnomalyTables.TableKey = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO SystemRegistryCache(Key, FileIDHash, RegPath, RegOperation, NewRegType, OldRegType, OldRegData, NewRegData, InstanceTimeStamp) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO File(SHA1, MD5, lshashs, lshash, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n, Size, SHA256) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?, ?, ? );
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(30, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(23, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT COUNT(1) FROM RollingQueuesValues;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO SdnEx(Key, CurrentCount) VALUES (?, ?);
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(15, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(10, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO BmProcessInfo(PPIDHash, ProcessStartTime, PID, StructVersion, ImageFileName, MonitoringFlags_Flags, MonitoringFlags_VmHardenType, MonitoringFlags_ExemptVmHardenedTypes, CommandLineArgs, HipsInjectionId, FolderGuardId, Flags, LsassReadMemId, MonitoringFlags_Flags2Low, MonitoringFlags_Flags2High)VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Count(1) FROM BackupProcessInfo;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E444F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Key, FilePath, Context, InsertTime, ExpireTime FROM AttributePersistContext WHERE Key = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT COUNT(1) FROM ValueMapArray WHERE RecordType = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT FileInstance.ID FROM FileInstance, RecordIdentifier WHERE FileInstance.RecordID = RecordIdentifier.ID AND RecordIdentifier.Key = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT RecordIdentifier.Key, FileInstance.RecordID, RecordIdentifier.RecordTimeStamp, FileInstance.TrackingEnabled, FileInstance.StorageEvent, FileInstance.StorageEventState, FileInstance.ModificationsCount, FileInstance.ParentRecordID, FileInstance.Parent_FileEvent, FileInstance.Parent_FileName, RecordIdentifier.Generation, FileInstance.FileName, FileInstance.USN, FileInstance.CreateTime, FileInstance.LastAccessTime, FileInstance.LastWriteTime, FileInstance.Signer, FileInstance.SignerHash, FileInstance.Issuer, FileInstance.SigningTime, FileInstance.MOTW, FileInstance.MOTWFromParent, FileInstance.IsValidCert, FileInstance.CertInvalidDetails, FileInstance.IsCatalogSigned, File.SHA1, File.MD5, File.lshashs, File.lshash, File.PartialCRC1, File.PartialCRC2, File.PartialCRC3, File.KCRC1, File.KCRC2, File.KCRC3, File.KCRC3n, File.Size, File.SHA256, ParentProcessInfo.CommandLine, ParentProcessInfo.FileName, ParentProcessInfo.IntegrityLevel, ParentProcessInfo.ProcessId, ParentProcessInfo.StartTime, ParentProcessInfo.TokenElevation, ParentProcessInfo.TokenElevationType, RemoteProcessInfo.CommandLine, RemoteProcessInfo.FileName, RemoteProcessInfo.IntegrityLevel, RemoteProcessInfo.TokenElevation, RemoteProcessInfo.TokenElevationType, ScanInfo.NamedAttributes, ScanInfo.PeAttributes, ScanInfo.PersistSigSeq, ScanInfo.ProgenitorPersistSigSeq, ScanInfo.ScanAgent, ScanInfo.ScanReason, ScanInfo.SigAttrEvents, ScanInfo.SigSeq, ScanInfo.SigSha, ScanInfo.WebURL,Engine.EngineVersion, Engine.SigVersion FROM RecordIdentifier INNER JOIN (FileInstance INNER JOIN File ON FileInstance.FileID = File.ID LEFT OUTER JOIN ProcessInfo as 'ParentProcessInfo' ON FileInstance.Parent_ProcessID = ParentProcessInfo.ID LEFT OUTER JOIN ProcessInfo as 'RemoteProcessInfo' ON FileInstance.Remote_ProcessID = RemoteProcessInfo.ID LEFT OUTER JOIN (ScanInfo INNER JOIN Engine ON ScanInfo.EngineID = Engine.ID) ON FileInstance.ScanID = ScanInfo.ID ) ON RecordIdentifier.ID = FileInstance.RecordID WHERE RecordIdentifier.Key = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(9, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Count(1) FROM DynSigRevisions;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT COUNT(1) FROM ProcessBlockHistory;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO ValueMapArray(Key, RecordType, ValueMapArrayBlob, InstanceTimeStamp) VALUES(?, ? , ? , ?);
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Key, Name, Count, InsertTime, ExpireTime FROM AttributeCounts WHERE Key = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp FROM FileLowFiAsync WHERE Key = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT ID FROM BmFileStartupActions WHERE BmFileStartupActions.FilePathHash = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT COUNT(1) FROM FileHashes;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Key FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO RecordIdentifier(Key, RecordTimeStamp, Generation) VALUES(?, ?, ?);
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO FolderGuardPaths(UserIdHash, UserId, GUID, Path) VALUES ( ?, ?, ?, ? );SELECT Count(DISTINCT UserIdHash) FROM FolderGuardPaths;DELETE FROM FolderGuardPaths WHERE UserIdHash = ?;SELECT ID FROM FolderGuardPaths WHERE UserIdHash = ? LIMIT 1;SELECT UserId, GUID, Path FROM FolderGuardPaths WHERE UserIdHash = ?N
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(27, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E444F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO FileHashes(Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n) VALUES(?, ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?);
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT DetectionGuid, LkgTS, NextUSN, DetectionTS, ProvisionalRemedComplTS, RemedComplTS, ImpactedCBPNameSpaces FROM RansomwareDetections WHERE Key = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO NetworkIpFirewallRules(Key, FirewallRuleName, ExpiryTime) VALUES (?, ?, ?);
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces FROM BackupProcessInfo WHERE Key = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(7, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Key FROM RollingQueuesTables WHERE RollingQueuesTables.Key = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory ORDER BY TimeStamp DESC;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO DynSigRevisions(Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;SELECT Count(1) FROM DynSigRevisions;SELECT ID FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;SELECT Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision FROM DynSigRevisions WHERE Key = ?
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(2, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE AttributeCounts SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT (SELECT COUNT(*) FROM File) + (SELECT COUNT(*) FROM FileInstance);
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO RollingQueuesTables(Key, Name, Capacity, TimeToLive, Mode) VALUES(? , ? , ? , ? , ?);
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO FolderGuardPaths(UserIdHash, UserId, GUID, Path) VALUES ( ?, ?, ?, ? );
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT ID FROM BackupProcessInfo WHERE Key = ?;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(25, 1, date('now'));
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Count(1) FROM BmFileStartupActions;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT Key FROM AttributePersistContext ORDER BY InsertTime ASC LIMIT 1;
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO Engine(EngineVersion, SigVersion) VALUES(? , ? );
          Source: BrowserUpdate.exeString found in binary or memory: models.tsvalueTypexl/theme/xl/_rels/ppt/tags/map[%s]%sEBWebViewargumentsprotectedtransient__VALUE__Try Againne-resizese-resizesw-resizenw-resizeBACKSPACEMEDIASTOPplaintextkeypointsmaskunitspointsatxpointsatypointsatzrepeatdurkeyPointsmaskUnitspointsAtXpointsAtYpointsAtZrepeatDurgdi32.dllCreateDCWCreateICWRectangleSetBkModeStartDocWStartPageLoadIconWReleaseDCEqualRectUnionRectEndDialogDrawTextWSetCursorSendInputAlt+ShiftMediaStopOEMPeriodaudio/oggvideo/oggimage/jxlvideo/jpmimage/bpgaudio/mp3audio/midaudio/apeaudio/wavaudio/amraudio/aacaudio/mp4video/3gpvideo/3g2video/asffont/sfntencoding=terminatedowner diedDnsQuery_WGetIfEntryCancelIoExCreatePipeGetVersionWSACleanupWSAStartupgetsockoptsetsockoptdnsapi.dllws2_32.dll%!Weekday(short readdwmapi.dlluser32.dllIsValidSidLocalAllocLockFileExOpenEventWOpenMutexWOpenThreadPulseEventResetEventWSASocketW0123456789not a boolCreateFilecreatetemp/dev/stdincomplex128t.Kind == /etc/hosts.localhostwsarecvmsgwsasendmsgIP addressunixpacket netGo = execerrdotSYSTEMROOT for type text/plainnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pc12207031256103515625ParseFloatVT_ILLEGALChorasmianDevanagariGlagoliticKharoshthiManichaeanOld_ItalicOld_PermicOld_TurkicOld_UyghurPhoenicianSaurashtraParseAddr(invalid IPskipping: ClassCSNETClassCHAOSAdditionalres binderres masterresumptionexp masterSHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1 but have ConnectionKeep-Alivelocal-addrimage/webpimage/jpegaudio/aiffaudio/mpegaudio/midiaudio/wavevideo/webmfont/woff2Set-Cookiebytes */%d stream=%dset-cookieuser-agentkeep-alive:authorityconnectionUser-AgentHost: %s
          Source: BrowserUpdate.exeString found in binary or memory: using unaddressable valueunknown ABI parameter kind using zero Value argumentreflect.Value.MethodByNamereflect.Value.OverflowUintcannot marshal DNS messageunexpected type in connecttoo many colons in addressunclosed criterion bracketcriterion lacks equal signencountered a cycle via %sdots or key param is emptyall goroutines stack tracecall from unknown functionnotewakeup - double wakeuppersistentalloc: size == 0/gc/cycles/total:gc-cyclesnegative idle mark workersuse of invalid sweepLockerfreedefer with d.fn != nilforEachP: P did not run fnwakep: negative nmspinningstartlockedm: locked to meinittask with no functionscorrupted semaphore ticketout of memory (stackalloc)shrinking stack in libcallempty buffer in CopyBuffer1455191522836685180664062572759576141834259033203125As4 called on IPv6 addresssegment prefix is reservedECDSA verification failurebad certificate hash valuex509: malformed parametersx509: malformed extensionsx509: invalid simple chainread from empty dataBuffernet/http: request canceledstopped after 10 redirectsduplicate pseudo-header %qhttp2: Framer %p: wrote %vframe_windowupdate_bad_lenframe_priority_zero_streaminternal error: bad Writerhttp2: invalid Host headermalformed HTTP status codeaddress type not supportedHTTP Version Not SupportedreadLoopPeekFailLocked: %winvalid port %q after host_html_template_htmlescaper_html_template_attrescaperno templates in name spacetemplate escaped correctlyecdsa: invalid private keyed25519: bad seed length: cryptobyte: internal errorbase 128 integer too largetruncated base 128 integerasn1: invalid UTF-8 stringnon sequence tagged as setid (%v) <= evictCount (%v)malformed chunked encodingYCbCrSubsampleRatioUnknownunsupported JPEG feature: unknown component selectorpng: unsupported feature: IDAT chunk length overflowhexcolor|rgb|rgba|hsl|hsla^[-+]?[0-9]+(?:\.[0-9]+)?$^(9694[1-4])([ \-]\d{4})?$unterminated quoted stringunexpected . after term %qinvalid value; expected %sexpected integer; found %sexpected complex; found %stoo many slice indexes: %dnon-comparable type %s: %vchacha20: wrong nonce sizechacha20: counter overflownot a pointer to a struct.method '%s' not registeredmethod '%d' not registeredunknown Window message: %sEmbeddedBrowserWebView.dll%s%sthis%s = source["%s"];Error from monitor #%v, %vFailed to marshal data: %v-//ietf//dtd html strict//bare " in non-quoted-fieldIsClipboardFormatAvailableGdipCreateBitmapFromStreamAddClipboardFormatListenerError occurred in App.InitUnable to processIndexHTMLUnable to write content %sresponse has been finishedHasCurrentHeader Error: %sGetCurrentHeader Error: %sResp.GetHeaders failed: %sapplication/x-ms-installerapplication/vnd.ms-outlookapplication/x-unix-archiveapplication/vnd.adobe.xfdf
          Source: BrowserUpdate.exeString found in binary or memory: %s takes %d inputs. Received %dInvalid Set Log Level Message: ca-ES-valencia en-US-u-va-posixencodeReflectValue: nil elementcannot find type for %s (%s/%s)Call to GetKeyboardState failedunable to release mouse capturecan't handle scalars > 256 bits-//ietf//dtd html 2.0 level 1//-//ietf//dtd html 2.0 level 2//-//w3c//dtd html 3 1995-03-24//-//w3c//dtd html 4.0 frameset//-//webtechs//dtd mozilla html//application/x-windows-installer
          Source: BrowserUpdate.exeString found in binary or memory: http://support.google.com/installer/
          Source: BrowserUpdate.exeString found in binary or memory: ..\..\chrome\updater\app\app_install_win.ccUpdate success.No updates.Updater error: http://support.google.com/installer/%s?product=%s&error=%d installation completed: error category[], error_code[], extra_code1[], completion_message[], post_install_launch_command_line[]SetOemInstallState failedStoreRunTimeEnrollmentToken failed
          Source: BrowserUpdate.exeString found in binary or memory: https://dl.google.com/update2/installers/icons/
          Source: BrowserUpdate.exeString found in binary or memory: .0\u to Write byteshttps://update.googleapis.com/service/update2/jsonhttps://clients2.google.com/cr/reporthttps://m.google.com/devicemanagement/data/apihttps://dl.google.com/update2/installers/icons/1:356l7w0
          Source: BrowserUpdate.exeString found in binary or memory: Try '%ls --help' for more information.
          Source: BrowserUpdate.exeString found in binary or memory: Try '%ls --help' for more information.
          Source: BrowserUpdate.exeString found in binary or memory: --help display this help and exit
          Source: BrowserUpdate.exeString found in binary or memory: --help display this help and exit
          Source: BrowserUpdate.exeString found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
          Source: BrowserUpdate.exeString found in binary or memory: asennuksen: $1oError sa pag-install: Nag-apply ang administrator ng network mo ng Group Policy na pumipigil sa pag-install: $1
          Source: BrowserUpdate.exeString found in binary or memory: Tapos na ang pag-install.
          Source: BrowserUpdate.exeString found in binary or memory: Kanselahin ang Pag-install
          Source: BrowserUpdate.exeString found in binary or memory: Error sa pag-install: $1
          Source: BrowserUpdate.exeString found in binary or memory: isvaatimuksia.fHindi na-install dahil hindi natutugunan ng iyong computer ang mga minimum na requirement sa hardware.mL'installation a
          Source: BrowserUpdate.exeString found in binary or memory: Inihinto ang Pag-install.
          Source: BrowserUpdate.exeString found in binary or memory: $1-installeerder
          Source: BrowserUpdate.exeString found in binary or memory: $1-Installationsprogramm
          Source: BrowserUpdate.exeString found in binary or memory: $1-installatieprogramma
          Source: BrowserUpdate.exeString found in binary or memory: $1-installasjonsprogram
          Source: BrowserUpdate.exeString found in binary or memory: .:Asennusvirhe: Asennusprosessin aloittaminen ei onnistunut.?Error sa pag-install: Hindi nagsimula ang proseso ng installer.GErreur d'installation
          Source: BrowserUpdate.exeString found in binary or memory: .LAsennusvirhe: Asennusohjelmaa ei suoritettu loppuun. Asennus on keskeytetty.LError sa pag-install: Hindi natapos ang installer. Na-abort ang pag-install.tErreur d'installation
          Source: BrowserUpdate.exeString found in binary or memory: Ini-install...
          Source: BrowserUpdate.exeString found in binary or memory: 3Asennus ei ole valmis. Haluatko varmasti perua sen?IHindi nakumpleto ang pag-install. Sigurado ka bang gusto mong kanselahin?9Installation non termin
          Source: BrowserUpdate.exeString found in binary or memory: uudelleen.#Hindi na-install. Pakisubukan ulit.,
          Source: BrowserUpdate.exeString found in binary or memory: isen virheen takia.FHindi na-install dahil sa isang internal na error sa server ng update.Q
          Source: BrowserUpdate.exeString found in binary or memory: ei tueta.OError sa pag-install: Invalid o hindi sinusuportahan ang filename ng installer.fErreur d'installation
          Source: BrowserUpdate.exeString found in binary or memory: ivityspalvelimella ei ole tiivistedataa sovelluksesta.\Hindi na-install dahil walang anumang data ng hash para sa application ang server ng update.p
          Source: BrowserUpdate.exeString found in binary or memory: n versiota ei tueta.QHindi na-install dahil hindi sinusuportahan ang bersyong ito ng operating system.ZL'installation a
          Source: BrowserUpdate.exeString found in binary or memory: maassa.AHindi na-install dahil pinaghihigpitan ang access sa bansang ito.=L'installation a
          Source: BrowserUpdate.exeString found in binary or memory: Ituloy ang Pag-install
          Source: BrowserUpdate.exeString found in binary or memory: n.\Salamat sa pag-install. Dapat mong i-restart ang lahat ng iyong browser bago gamitin ang $1.eMerci d'avoir install
          Source: BrowserUpdate.exeString found in binary or memory: n.SSalamat sa pag-install. Dapat mong i-restart ang iyong browser bago gamitin ang $1.aMerci d'avoir install
          Source: BrowserUpdate.exeString found in binary or memory: n.TSalamat sa pag-install. Dapat mong i-restart ang iyong computer bago gamitin ang $1.aMerci d'avoir install
          Source: BrowserUpdate.exeString found in binary or memory: .4Asennus ei onnistu, palvelin ei tunnista sovellusta.9Hindi na-install, hindi kilala ng server ang application.=Installation impossible. Le serveur ne reconna
          Source: BrowserUpdate.exeString found in binary or memory: onnistui, koska protokollaa ei tueta.BHindi na-install dahil sa error na hindi sinusuportahang protocol.K
          Source: BrowserUpdate.exeString found in binary or memory: Naghihintay sa pag-install...
          Source: BrowserUpdate.exeString found in binary or memory: Handles start/stop monitor commands as well as other feedback to the app profiling flow
          Source: BrowserUpdate.exeString found in binary or memory: Handles start/stop monitor commands as well as other feedback to the app profiling flow
          Source: BrowserUpdate.exeString found in binary or memory: CLuaScriptActionRestore_WU_BITS() out of memoryRestore_WU_BITS() abortedService Restore final statusHKLM\SYSTEM\CurrentControlSet\Services\wuauserv%systemroot%\system32\qmgr.dllBITS Start/Stop pends > 12 seconds%systemroot%\system32\wuaueng.dllOpenServiceW failed for %lsStart Service failed for %lsOpenSCManager failedHKLM\SYSTEM\CurrentControlSet\Services\BITSnew CSysioRepositoryFile out of memory%ls was restored%ls successfully started.StartServiceW failed for %ls%ls was not restored because MpDisableAutomaticServiceDllRestoration is setInternal error, wrong dll name %lsServiceRestorationGetFileFromCleanStore() failed for %lsInvestigate SERVICE_STATUS_PROCESS.dwServiceSpecificExitCode set to it for %lsGetSpecialDefaultData failed for %ls%ls registry restoredDefaultRegkey restoration failed for %lsQueryServiceStatusEx failed for %lsInvestigate SERVICE_STATUS_PROCESS.dwWin32ExitCode set to it for %lsU-
          Source: BrowserUpdate.exeString found in binary or memory: CLuaScriptActionRestore_WU_BITS() out of memoryRestore_WU_BITS() abortedService Restore final statusHKLM\SYSTEM\CurrentControlSet\Services\wuauserv%systemroot%\system32\qmgr.dllBITS Start/Stop pends > 12 seconds%systemroot%\system32\wuaueng.dllOpenServiceW failed for %lsStart Service failed for %lsOpenSCManager failedHKLM\SYSTEM\CurrentControlSet\Services\BITSnew CSysioRepositoryFile out of memory%ls was restored%ls successfully started.StartServiceW failed for %ls%ls was not restored because MpDisableAutomaticServiceDllRestoration is setInternal error, wrong dll name %lsServiceRestorationGetFileFromCleanStore() failed for %lsInvestigate SERVICE_STATUS_PROCESS.dwServiceSpecificExitCode set to it for %lsGetSpecialDefaultData failed for %ls%ls registry restoredDefaultRegkey restoration failed for %lsQueryServiceStatusEx failed for %lsInvestigate SERVICE_STATUS_PROCESS.dwWin32ExitCode set to it for %lsU-
          Source: BrowserUpdate.exeString found in binary or memory: u<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
          Source: BrowserUpdate.exeString found in binary or memory: uuid: xmlns="<wsa:ReplyTo><wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address></wsa:ReplyTo>
          Source: C:\Users\user\Desktop\BrowserUpdate.exeFile read: C:\Users\user\Desktop\BrowserUpdate.exeJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeSection loaded: wintypes.dllJump to behavior
          Source: BrowserUpdate.exeStatic PE information: certificate valid
          Source: BrowserUpdate.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: BrowserUpdate.exeStatic PE information: Image base 0x140000000 > 0x60000000
          Source: BrowserUpdate.exeStatic file information: File size 55469264 > 1048576
          Source: BrowserUpdate.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x87e600
          Source: BrowserUpdate.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x1f7600
          Source: BrowserUpdate.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x626200
          Source: BrowserUpdate.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x16abe00
          Source: BrowserUpdate.exeStatic PE information: Raw size of rcdata is bigger than: 0x100000 < 0xd48000
          Source: Binary string: MpGear.pdb source: BrowserUpdate.exe
          Source: Binary string: BTR.pdbGCTL source: BrowserUpdate.exe
          Source: Binary string: KSLDriver.pdb source: BrowserUpdate.exe
          Source: Binary string: KSLD.pdb source: BrowserUpdate.exe
          Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release\updater.exe.pdb source: BrowserUpdate.exe
          Source: Binary string: offreg.pdbH source: BrowserUpdate.exe
          Source: Binary string: KSLDriver.pdbGCTL source: BrowserUpdate.exe
          Source: Binary string: MsMpEngCP.pdb source: BrowserUpdate.exe
          Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: BrowserUpdate.exe, 00000000.00000002.2226332115.00007FF7E53C8000.00000080.00000001.01000000.00000003.sdmp, BrowserUpdate.exe, 00000000.00000000.2111947960.00007FF7E5386000.00000080.00000001.01000000.00000003.sdmp
          Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release\updater.exe.pdb0 source: BrowserUpdate.exe
          Source: Binary string: BTR.pdb source: BrowserUpdate.exe
          Source: Binary string: MsMpEngSvc.pdb source: BrowserUpdate.exe
          Source: Binary string: mpengine.pdb source: BrowserUpdate.exe
          Source: Binary string: MsMpEngSvc.pdbGCTL source: BrowserUpdate.exe
          Source: Binary string: offreg.pdb source: BrowserUpdate.exe
          Source: Binary string: KSLD.pdbGCTL source: BrowserUpdate.exe
          Source: Binary string: MsMpEngCP.pdbGCTL source: BrowserUpdate.exe
          Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: BrowserUpdate.exe, 00000000.00000002.2226332115.00007FF7E53C8000.00000080.00000001.01000000.00000003.sdmp, BrowserUpdate.exe, 00000000.00000000.2111947960.00007FF7E5386000.00000080.00000001.01000000.00000003.sdmp
          Source: Binary string: MpGear.pdbGCTL source: BrowserUpdate.exe
          Source: Binary string: mpengine.pdbOGPS source: BrowserUpdate.exe
          Source: initial sampleStatic PE information: section where entry point is pointing to: rcdata
          Source: BrowserUpdate.exeStatic PE information: section name: .xdata
          Source: BrowserUpdate.exeStatic PE information: section name: rcdata

          Boot Survival

          barindex
          Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
          Source: C:\Users\user\Desktop\BrowserUpdate.exeWindow searched: window name: RegmonClassJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeWindow searched: window name: FilemonClassJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Query firmware table information (likely to detect VMs)
          Source: C:\Users\user\Desktop\BrowserUpdate.exeSystem information queried: FirmwareTableInformationJump to behavior
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\BrowserUpdate.exeAPI/Special instruction interceptor: Address: 7FF8C88ED6C4
          Tries to detect sandboxes / dynamic malware analysis system (registry check)
          Source: C:\Users\user\Desktop\BrowserUpdate.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: BrowserUpdate.exe, 00000000.00000002.2199876221.000000C0003E2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: IDA PRO\IDAQ.EXEP
          Source: BrowserUpdate.exe, 00000000.00000002.2199876221.000000C000086000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES (X86)\FIDDLER\FIDDLER.EXE
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000400000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: FIDDLER\FIDDLER.EXE
          Source: BrowserUpdate.exe, 00000000.00000002.2199876221.000000C000055000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\DNSPY\DNSPY.XMLC:\USERS\user\APPDATA\ROAMING\DNSPY\DNSPY.XMLC:\PROGRAM FILES\WIRESHARK\WIRESHARK.EXEC:\PROGRAM FILES\WIRESHARK\WIRESHARK.EXEC:\PROGRAM FILES\SYSINTERNALS SUITE\PROCEXP.EXEC:\PROGRAM FILES\SYSINTERNALS SUITE\PROCEXP.EXEC:\PROGRAM FILES (X86)\FIDDLER\FIDDLER.EXEC:\PROGRAM FILES (X86)\FIDDLER\FIDDLER.EXEPLEASE WAIT WHILE YOUR BROWSER UPDATES. THIS PROCESS WILL TAKE APPROXIMATELY 10 MF67B1E455C5BCPLEASE WAIT WHILE YOUR BROWSER UPDATES. THIS PROCESS WILL TAKE APPROXIMATELY 10 MI67B1E455C5BC4PLEASE WAIT WHILE YOUR BROWSER UPDATES. THIS PROCESS WILL TAKE APPROXIMATELY 10 MIN7B1E455C5BC49P
          Source: BrowserUpdate.exe, 00000000.00000002.2199876221.000000C000086000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: MAEL HORZ\HXD HEX EDITOR\HXD HEX EDITOR.LMAEL HORZ\HXD HEX EDITOR\HXD HEX EDITOR.LAMAEL HORZ\HXD HEX EDITOR\HXD HEX EDITOR.LANMAEL HORZ\HXD HEX EDITOR\HXD HEX EDITOR.LANGPROGRAMFILES(X86)C:\PROGRAM FILES (X86)\FIDDLER\FIDDLER.EXE9E146BE9-C76A-4720-BCDB-53011B87BD069E146BE9-C76A-4720-BCDB-53011B87BD06-EWE'RET
          Source: BrowserUpdate.exe, 00000000.00000002.2199876221.000000C0003E2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: IDA PRO\IDAQ.EXIDA PRO\IDAQ.EXEP
          Source: BrowserUpdate.exe, 00000000.00000002.2199876221.000000C000257000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\IDA PRO\IDAQ.EXE
          Source: BrowserUpdate.exe, 00000000.00000002.2199876221.000000C00001A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: @OFFICECLICKTORUN.EXEOFFICECLICKTORUN.EXEOFFICECLICKTORUN.EXEOFFICECLICKTORUN.EXEOFFICECLICKTORUN.EXE0OFFICECLICKTORUN.EXE0BOFFICECLICKTORUN.EXE0B4OFFICECLICKTORUN.EXE0B4-OFFICECLICKTORUN.EXEOFFICECLICKTORUN.EXEOFFICECLICKTORUN.EXEOFFICECLICKTORUN.EXEOFFICECLICKTORUN.EXE0OFFICECLICKTORUN.EXE0BOFFICECLICKTORUN.EXE0B4OFFICECLICKTORUN.EXE0B4-OFFICECLICKTORUN.EXEOFFICECLICKTORUN.EXEOFFICECLICKTORUN.EXEOFFICECLICKTORUN.EXEOFFICECLICKTORUN.EXE0OFFICECLICKTORUN.EXE0BOFFICECLICKTORUN.EXE0B4OFFICECLICKTORUN.EXE0B4-OFFICECLICKTORUN.EXEOFFICECLICKTORUN.EXEOFFICECLICKTORUN.EXEOFFICECLICKTORUN.EXEOFFICECLICKTORUN.EXE0OFFICECLICKTORUN.EXE0BOFFICECLICKTORUN.EXE0B4OFFICECLICKTORUN.EXE0B4-1.3.6.1.5.5.7.3.11.3.6.1.5.5.7.3.21.3.6.1.5.5.7.3.31.3.6.1.5.5.7.3.41.3.6.1.5.5.7.3.51.3.6.1.5.5.7.3.61.3.6.1.5.5.7.3.71.3.6.1.5.5.7.3.81.3.6.1.5.5.7.3.91.3.6.1.4.1.311.10.3.32.16.840.1.113730.4.11.3.6.1.4.1.311.2.1.221.3.6.1.4.1.311.61.1.1OFFICECLICKTORUN.EXEOFFICECLICKTORUN.EXEOFFICECLICKTORUN.EXEOFFICECLICKTORUN.EXEOFFICECLICKTORUN.EXE0OFFICECLICKTORUN.EXE00OFFICECLICKTORUN.EXE000OFFICECLICKTORUN.EXE0000OFFICECLICKTORUN.EXEOFFICECLICKTORUN.EXEOFFICECLICKTORUN.EXEOFFICECLICKTORUN.EXEOFFICECLICKTORUN.EXECOFFICECLICKTORUN.EXEC0OFFICECLICKTORUN.EXEC00RDG PACKER DETECTOR-C000RDG PACKER DETECTORRDG PACKER DETECTORRDG PACKER DETECTORRDG PACKER DETECTOR-RDG PACKER DETECTOR-CRDG PACKER DETECTOR-C0RDG PACKER DETECTOR-C00RDG PACKER DETECTOR-C000RDG PACKER DETECTORRDG PACKER DETECTORRDG PACKER DETECTORRDG PACKER DETECTOR-RDG PACKER DETECTOR-CRDG PACKER DETECTOR-C0RDG PACKER DETECTOR-C00RDG PACKER DETECTOR-C000RDG PACKER DETECTORRDG PACKER DETECTORRDG PACKER DETECTORRDG PACKER DETECTOR-RDG PACKER DETECTOR-BRUNTIMEBROKER.EXE1A-B6RUNTIMEBROKER.EXE1A-B69RUNTIMEBROKER.EXE1A-B69CRUNTIMEBROKER.EXERUNTIMEBROKER.EXE1RUNTIMEBROKER.EXE1ARUNTIMEBROKER.EXE1A-RUNTIMEBROKER.EXE1A-BRUNTIMEBROKER.EXE1A-B6PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_IDENTIFIER=INTEL64 FAMILY 6 MODEL 143 STEPPING 8, GENUINEINTELC:\USERS\user\APPDATA\LOCAL\DNSPYC:\USERS\user\APPDATA\ROAMING\MAEL HORZ\HXD HEX EDITOR\HXD HEX EDITOR.INIC:\USERS\user\APPDATA\ROAMING\MAEL HORZ\HXD HEX EDITOR\HXD HEX EDITOR.LANGC:\PROGRAM FILES\OLLYDBG\OLLYDBG.INIC:\PROGRAM FILES\OLLYDBG\OLLYDBG.INI**++--/9==AZ__AZ||**++--/9==AZ__AZ||C:\PROGRAM FILES\GHIDRA\GHIDRARUN.BATC:\PROGRAM FILES\GHIDRA\GHIDRARUN.BATC:\PROGRAM FILES\IDA PRO\IDAQ.EXEC:\PROGRAM FILES\IDA PRO\IDAQ.EXE9E146BE9-C76A-4720-BCDB-53011B87BD069E146BE9-C76A-4720-BCDB-53011B87BD06PLEASE WAIT WHILE YOUR BROWSER UPDATES. THIS PROCESS WILL TAKE APPLEASE WAIT WHILE YOUR BROWSER UPDATES. THIS PROCESS WILL TAKE APPPLEASE WAIT WHILE YOUR BROWSER UPDATES. THIS PROCESS WILL TAKE APPRPLEASE WAIT WHILE YOUR BROWSER UPDATES. THIS PROCESS WILL TAKE APPROPLEASE WAIT WHILE YOUR BROWSER UPDATES. THIS PROCESS WILL TAKE APPROXPLEASE WAIT WHILE YOUR BROWSER UPDATES. THIS PROCESS WILL TAKE APPROXIPLEASE WAIT WHILE YOUR BROWSER UPDATES. THIS PROCESS WILL TAKE APPROXIMPLEASE
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000400000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WIRESHARK\WIRESHATWIRESHARK\WIRESHARWIRESHARK\WIRESHARKWIRESHARK\WIRESHARK.WIRESHARK\WIRESHARK.EWIRESHARK\WIRESHARK.EXWIRESHARK\WIRESHARK.EXESYSINTERNALS SUITWIN32_SYSINTERNALS SUITEIN32_BSYSINTERNALS SUITE\SSYSINTERNALS SUITE\PSYSINTERNALS SUITE\PRSYSINTERNALS SUITE\PROSYSINTERNALS SUITE\PROCSYSINTERNALS SUITE\PROCETOTALPHYSICALMEMOTOTALPHYSICALMEMORTOTALPHYSICALMEMORYCONTROL PANEL\INTCONTROL PANEL\INTECONTROL PANEL\INTERCONTROL PANEL\INTERNCONTROL PANEL\INTERNACONTROL PANEL\INTERNATCONTROL PANEL\INTERNATICONTROL PANEL\INTERNATIOFIDDLER\FIDDLER.EFIDDLER\FIDDLER.EXFIDDLER\FIDDLER.EXEPROGRAMFILES(X86)C:\PROGRAM FILES (X86)C:\PROGRAM FILES (X86)\GHIDRA\GHIDRARUN.GHIDRA\GHIDRARUN.B
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000400000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WIRESHARK\WIRESHARK.EXE
          Source: BrowserUpdate.exe, 00000000.00000002.2199876221.000000C000257000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\WIRESHARK\WIRESHARK.EXE
          Source: BrowserUpdate.exe, 00000000.00000002.2199876221.000000C000257000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ZWFLUSHBUFFERSFIZWFLUSHBZWFLUSHIZWFLUSHBUFFERSFIZWFLUSHINSTALLUIZWFLUSHIZWFLUSHKZWFLUSHINSTRUCTIC:\USERS\user\APPDATA\ROAMING\DNSPY\DNSPY.XMLC:\USERS\user\APPDATA\LOCAL\DNSPYC:\USERS\user\APPDATA\ROAMING\PROCESS HACKER 2\SETTINGS.XMLC:\USERS\user\APPDATA\ROAMING\PROCESS HACKER 2\USERNOTESDB.XMLC:\PROGRAM FILES\OLLYDBG\OLLYDBG.INIC:\PROGRAM FILES\WIRESHARK\WIRESHARK.EXEC:\PROGRAM FILES\SYSINTERNALS SUITE\PROCEXP.EXEC:\PROGRAM FILES\GHIDRA\GHIDRARUN.BATC:\PROGRAM FILES\IDA PRO\IDAQ.EXEC:\USERS\user\IEINSPECTORC:\USERS\user\IEINSPECTORSOFTWARE\MICROSOFT\CRYPTOGRAPHY9E146BE9-C76A-4720-BCDB-53011B87BD06-GWD56MQDDMEPSOFTWARE\MICROSOFT\CRYPTOGRAPHYSOFTWARE\9E146BE9-C76A-4720-BCDB-53011B87BD06-QUDXBUV1JXXHPLEASE WAIT WHILE YOUR BROWSER UPDATES. THIS PROC
          Source: C:\Users\user\Desktop\BrowserUpdate.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Hyper-V
          Source: BrowserUpdate.exeBinary or memory string: detects_vmware
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: GVMwareG
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Mvmx86M
          Source: BrowserUpdate.exe, 00000000.00000002.2199876221.000000C000257000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMwareGuestServiceMute
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMwareGuest
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMwareGues
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VHyper-VOMxO
          Source: BrowserUpdate.exeBinary or memory string: 7zXZ\SystemRoot\Device\0123456789ABCDEF0123456789abcdefpea_epscn_islastpea_epcallnextpea_secmissizepea_epatstartlastsectpea_entrybyte60pea_entrybyte90pea_epiniatpea_usesuninitializedregspea_prefetchtrickspea_issuspiciouspea_isgenericpea_isreportedpea_aggressiveimportpea_enable_binlibpea_enable_lshashpea_many_importspea_self_modifying_codepea_track_direct_importspea_detects_vmpea_detects_vmwarepea_detects_virtualpcpea_is_delphipea_uses_single_steppingpea_uses_bound_exceptionspea_uses_div_by_zeropea_uses_int_overflowpea_uses_invalid_opcodespea_uses_unusual_breakpointpea_checks_if_debugged_documentedpea_disable_io_redirectionpea_suspicious_rebasepea_disable_drop_mz_onlypea_suspicious_stack_geometrypea_suspicious_subsystempea_suspicious_timestamppea_suspicious_valignpea_suspicious_section_fsizepea_suspicious_section_characteristicspea_aggressive_trim_wspea_16bitmachinepea_system_filepea_suspicious_number_of_dirspea_force_unpackingpea_extended_pestaticpea_small_data_directory_countpea_multiple_relocs_same_locationpea_relocs_but_no_relocs_flagpea_suspicious_imagebasepea_no_section_tablepea_no_sectionspea_many_sectionspea_suspicious_image_sizepea_bound_imports_inside_imagepea_delay_load_imports_inside_imagepea_entrypoint_in_import_tablepea_entrypoint_in_headerpea_import_via_tlspea_epsec_not_executablepea_othermachine_imagepea_checks_teb_lasterrorpea_disable_vmprotectpea_checks_teb_laststatuspea_disable_thread_apicall_limitpea_deep_apicall_limitpea_dynmem_uses_div_by_zeropea_dynmem_uses_int_overflowpea_dynmem_uses_bound_exceptionspea_dynmem_uses_privinstrpea_dynmem_uses_breakpointspea_dynmem_uses_single_steppingpea_dynmem_uses_invalid_opcodespea_dynmem_uses_unusual_breakpointpea_dynmem_detects_vmpea_dynmem_detects_vmwarepea_dynmem_detects_virtualpcpea_dynmem_checks_if_debugged_docpea_dynmem_checks_if_debugged_undocpea_dynmem_kernel_scanpea_dynmem_self_modifying_codepea_dt_continue_after_unpackingpea_dt_continue_after_unpacking_damagedpea_loop_jmp_chainpea_droppedpea_reads_vdll_codepea_dynmem_reads_vdll_codepea_verbose_vdll_readspea_scan_internal_datapea_isvbpcodepea_ARM_legacypea_ARM_big_endianpea_ARM_unpredictablepea_isappcontainerpea_checks_ntglobalflagpea_dynmem_checks_ntglobalflagpea_dynmem_checks_processheappea_dt_error_heur_exit_criteriapea_dt_error_too_many_prefixespea_dt_error_invalid_opcodepea_dt_error_too_many_operandspea_dt_error_bb_limitpea_dt_error_loop_too_complexpea_executes_from_last_sectionpea_executes_from_resourcespea_memory_patchedpea_uses_sysenterpea_suspicious_resource_directory_sizepea_suspicious_import_directory_sizepea_invalid_ilt_entrypea_dmg_machinepea_dmg_filealignmentpea_dmg_pointertorawdatapea_dmg_virtualaddresspea_dmg_truncatedpea_dmg_special_sectionpea_dmg_relocationspea_dmg_overlapping_sectionspea_dmg_optional_magicpea_dmg_sizeofheaderspea_dmg_imagebasepea_dmg_imagesizepea_dmg_unsupportedpea_dmg_importspea_dmg_invaliddatapea_dmg_decompresspea_dmg_virtualsizepea_dmg_not_executable_imagepea_dmg_entrypointpea_inv_sizeofoptio
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmx86Mute
          Source: BrowserUpdate.exeBinary or memory string: pea_detects_vmware
          Source: BrowserUpdate.exe, 00000000.00000002.2199876221.000000C000257000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: AHJNPZAHJNPZGoogle-Cloud-PlatfGoogle-Cloud-PlatfoGoogle-Cloud-PlatforGoogle-Cloud-PlatformAkamai TechnologiAkamai Technologie3-999FAkamai TechnologiesAkamai Internatioo Akamai Internation mAkamai InternationamaAkamai InternationalapAkamai International p Akamai International B sAkamai International B.1Akamai International B.VMICROSOFT-CORP-MSo MICROSOFT-CORP-MSN mMICROSOFT-CORP-MSN-maMICROSOFT-CORP-MSN-AapMICROSOFT-CORP-MSN-ASp MICROSOFT-CORP-MSN-AS- oMICROSOFT-CORP-MSN-AS-BEMICROSOFT-CORP-MSN-AS-BLCentripetal Netwo tCentripetal NetwortyCentripetal NetworkypCentripetal NetworkspeCheck Point Softw type Check Point Softwatype fCheck Point Softwar-A8B3Check Point SoftwareCheck Point Software Check Point Software TCheck Point Software TeCheck Point Software TecCrowdStrike Falcof arraCrowdStrike Falcon arrayFidelis Cybersecu50-9157Fidelis Cybersecur404 page not foundFidelis CybersecuriFidelis CybersecuritFidelis CybersecurityMICROSOFT-CORP-MSN-w9EMICROSOFT-CORP-MSN-AeEFMICROSOFT-CORP-MSN-ASdF6405 method not allowedGetUserDefaultLCIDMICROSOFT-CORP-MSN-AS-MICROSOFT-CORP-MSN-AS-BMICROSOFT-CORP-MSN-AS-BLMicrosoft SysinteMicrosoft SysinterMicrosoft SysinternTimVariantTimeToSystemTimeSysAllocStringLenMicrosoft SysinternaCreateDispTypeInfoCreateStdDispatchMicrosoft SysinternalMicrosoft SysinternalsSafeArrayAccessDataPalo Alto Networkb-a7SafeArrayAllocDataPalo Alto Networks-a73Palo Alto Networks a733Palo Alto Networks C733-Palo Alto Networks CoPalo Alto Networks CorPalo Alto Networks CortPalo Alto Networks CorteSafeArrayAllocDescriptorSplunk Enterpriset\CrSplunk Enterprise \CrySplunk Enterprise SCrypSplunk Enterprise SeryptSplunk Enterprise SecSplunk Enterprise SecuSplunk Enterprise SecurSplunk Enterprise SecuriSafeArrayCopyDataSafeArrayCreateExTrustwave SpiderLt\CTrustwave SpiderLa\CrTrustwave SpiderLabCryTrustwave SpiderLabsrypSafeArrayCreateVectorVirusTotal Jujubot\CryptVirusTotal JujuboxidWatchGuard TechnoWatchGuard TechnoltoWatchGuard TechnoloorWatchGuard TechnologrESafeArrayCreateVectorExWatchGuard TechnologiWatchGuard TechnologieWatchGuard TechnologiesSafeArrayDestroyDataWhiteHat Securityt\CrypMicrosoftVirtualPt\CryptMicrosoftVirtualPCidMicrosoftVirtualPC7cMicrosoftVirtualPC7UrMicrosoftVirtualPC7UsiMicrosoftVirtualPC7UsepMicrosoftVirtualPC7UsertMicrosoftVirtualPC7UserSSandboxie_SingleIt\CrypSafeArrayGetElementSandboxie_SingleIn\CryptSandboxie_SingleInsdSandboxie_SingleInstSafeArrayGetElemsizeSandboxie_SingleInstaSafeArrayGetLBoundSandboxie_SingleInstanSafeArrayGetUBoundSandboxie_SingleInstancSandboxie_SingleInstanceSafeArrayGetVartypeSBIE_BOXED_Servict\CrySBIE_BOXED_Service\CrypSafeArrayPtrOfIndexSBIE_BOXED_ServiceICryptSBIE_BOXED_ServiceIndSBIE_BOXED_ServiceIniSBIE_BOXED_ServiceInitSafeArrayUnaccessDataSBIE_BOXED_ServiceInitCSBIE_BOXED_ServiceInitCoSafeArrayPutElementCuckooSpoolerSectCuckooSpoolerSectiCuckooSpoolerSectioCuckooSpoolerSectionCuckooRegistryStadInfSafeArrayGetRecordInfoCuckooRegistryStarCuckooRegistryStartCuckooRegistryStartuCuckooRegistr
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMwareGuestS
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: tPVBoxTrayIP.xml
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: RQEMU
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: tvmx86Mut
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 5image/jxrVMWare
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmx86Mut
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: eVMwareGue
          Source: BrowserUpdate.exeBinary or memory string: azurevirtualmachinename_scrubbed
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VBoxTrayIPC
          Source: BrowserUpdate.exeBinary or memory string: VMwareVMware
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmx86Mu
          Source: BrowserUpdate.exeBinary or memory string: azurevirtualmachinename
          Source: BrowserUpdate.exe, 00000000.00000002.2199876221.000000C000257000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMwareGuestServiceMutex
          Source: BrowserUpdate.exeBinary or memory string: Unknown member: peattributes.%hspe.set_peattribute(name, state) expects boolean "state"ARM_big_endianARM_legacyARM_unpredictable_16bitmachine_32bitmachineaggressive_trim_wsaggressiveimportamd64_imagearm_imageaslr_bit_setbound_imports_inside_imagebyte_reversed_hibyte_reversed_lowcalls_unimplemented_apichecks_if_debugged_documentedchecks_if_debugged_undocumentedchecks_ntglobalflagchecks_processheapchecks_teb_lasterrorchecks_teb_laststatuscode_on_stackdebug_strippeddeep_analysisdeep_apicall_limitdelay_load_imports_inside_imagedetects_virtualpcdetects_vmdetects_vmwaredirty_wx_branchdisable_apicall_limitdisable_drop_mz_onlydisable_dropper_rescandisable_io_redirectiondisable_microcodedisable_seh_limitdisable_static_unpackingdisable_thread_apicall_limitdisable_vmprotectdmg_decompressdmg_entrypointdmg_filealignmentdmg_imagebasedmg_imagesizedmg_importsdmg_invaliddatadmg_machinedmg_not_executable_imagedmg_notcontiguousdmg_optional_magicdmg_overlapping_sectionsdmg_pointertorawdatadmg_relocationsdmg_resource_levelsdmg_resource_namesdmg_resource_offsetdmg_resource_unordereddmg_sectionalignmentdmg_sizeofheadersdmg_sizeofrawdatadmg_special_sectiondmg_truncateddmg_unsupporteddmg_virtualaddressdmg_virtualsizedroppeddt_continue_after_unpackingdt_continue_after_unpacking_damageddt_error_bb_limitdt_error_failed_to_translatedt_error_heur_API_limitdt_error_heur_exit_criteriadt_error_invalid_opcodedt_error_loop_too_complexdt_error_not_enough_memorydt_error_too_many_operandsdt_error_too_many_prefixesdt_error_vmm_page_faultdynmem_APIcalldynmem_checks_if_debugged_docdynmem_checks_if_debugged_undocdynmem_checks_ntglobalflagdynmem_checks_processheapdynmem_detects_virtualpcdynmem_detects_vmdynmem_detects_vmwaredynmem_kernel_scandynmem_reads_vdll_codedynmem_self_modifying_codedynmem_uses_access_violationdynmem_uses_bound_exceptionsdynmem_uses_breakpointsdynmem_uses_div_by_zerodynmem_uses_int_overflowdynmem_uses_invalid_opcodesdynmem_uses_privinstrdynmem_uses_single_steppingdynmem_uses_udbgrddynmem_uses_udbgwrdynmem_uses_unusual_breakpointenable_binlibenable_lshashenable_vmm_growentrybyte55entrybyte60entrybyte90entrypoint_in_headerentrypoint_in_import_tableepatscnstartepatstartentrysectepatstartlastsectepcallnextepinfirstsectepiniatepoutofimageepscn_eqsizesepscn_falignepscn_islastepscn_valignepscn_vfalignepscn_writableepsec_not_executableexecutable_imageexecutble_imageexecutes_from_dynamic_memoryexecutes_from_last_sectionexecutes_from_resourcesextended_pestaticfirstsectwritableforce_dtforce_expensive_processingforce_unpackinggenpackedhandle_large_vahas_checksumhas_delay_load_importshas_many_resourceshas_msilresourceshasappendeddatahasboundimportshasexportshasstandardentryheaderchecksum0hstr_exhaustiveia64_imageimport_via_tlsinv_argumentsinv_datainv_decompress_errorinv_dos_signatureinv_e_lfanewinv_exportsinv_fileinv_filealignmentinv_filesizeinv_imagebaseinv_nomemoryinv_notimplementedinv_nt_signatureinv_optional_magicinv_overlappinginv_rawoffsetinv_rawsizeinv_readinv_rvainv_sect
          Source: BrowserUpdate.exeBinary or memory string: dynmem_detects_vmware
          Source: BrowserUpdate.exeBinary or memory string: Software\Microsoft\Windows DefenderSOFTWARE\Policies\Microsoft\SQMClient\WindowsPhoneSoftware\Policies\Microsoft\SQMClient%windir%\temp%ProgramFiles(x86)%NtGetCachedSigningLevelSOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlockhr=0x%08XThreatTrackingSigSeqEmuldet.Ainvalid hash bucket count&
          Source: BrowserUpdate.exe, 00000000.00000002.2199876221.000000C000257000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMwareGuestServiceMo
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 6vmx86
          Source: BrowserUpdate.exe, 00000000.00000002.2199876221.000000C000257000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CuckooRegistryStartupMutVMwareGuestServicc
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMwareGuestServVMwareGuestServiaudio/x-wavsectools
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMwareGu
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMwareGuestSeVMwareGuestServ
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VBoxTray
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VBoxTrayI
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: aVMwareGuestVMwareGuestS
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMwareGuestServiaudio/x-wav
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMwareGuestServ
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: eVMware
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMwareGuestSer
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: sVMwareGuesaudio/wav
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMwareGuestSe
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Kaudio/vnd.wavevmx86Mutevmx86Mutex
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMwareGue
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmx86M
          Source: BrowserUpdate.exe, 00000000.00000002.2202298161.00000280ADC72000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmx86Mutex
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: yVBoxTray
          Source: BrowserUpdate.exe, 00000000.00000002.2199876221.000000C000257000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMwareGuestServicet
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMwareG
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: uvmx86Mu
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmx86
          Source: BrowserUpdate.exe, 00000000.00000002.2199876221.000000C000257000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMwareGuestServiceMut
          Source: BrowserUpdate.exe, 00000000.00000002.2199876221.000000C000257000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMwareGuestServiceMur
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMWare
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VBoxTrayIP
          Source: BrowserUpdate.exeBinary or memory string: pea_dynmem_detects_vmware
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000428000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: IVBoxTrayI
          Source: C:\Users\user\Desktop\BrowserUpdate.exeSystem information queried: ModuleInformationJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeProcess information queried: ProcessInformationJump to behavior

          Anti Debugging

          barindex
          Hides threads from debuggers
          Source: C:\Users\user\Desktop\BrowserUpdate.exeThread information set: HideFromDebuggerJump to behavior
          Tries to detect sandboxes and other dynamic analysis tools (window names)
          Source: C:\Users\user\Desktop\BrowserUpdate.exeOpen window title or class name: regmonclass
          Source: C:\Users\user\Desktop\BrowserUpdate.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
          Source: C:\Users\user\Desktop\BrowserUpdate.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
          Source: C:\Users\user\Desktop\BrowserUpdate.exeOpen window title or class name: procmon_window_class
          Source: C:\Users\user\Desktop\BrowserUpdate.exeOpen window title or class name: filemonclass
          Source: C:\Users\user\Desktop\BrowserUpdate.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
          Source: C:\Users\user\Desktop\BrowserUpdate.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeProcess queried: DebugObjectHandleJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeProcess queried: DebugPortJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Users\user\Desktop\BrowserUpdate.exeNtQueryInformationProcess: Indirect: 0x7FF7E56C8F92Jump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeNtSetInformationThread: Indirect: 0x7FF7E56D8A31Jump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeNtQueryInformationProcess: Indirect: 0x7FF7E56DC5D4Jump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeNtQuerySystemInformation: Indirect: 0x7FF7E5672B55Jump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeQueries volume information: C:\Users\user\Desktop\BrowserUpdate.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\BrowserUpdate.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000400000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Sysinternals Suite\procexp.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000400000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Wireshark\Wireshark.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2199876221.000000C000257000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Sysinternals Suite\procexp.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2199876221.000000C000257000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Wireshark\Wireshark.exe

          Stealing of Sensitive Information

          barindex
          Yara detected MicroClip
          Source: Yara matchFile source: BrowserUpdate.exe, type: SAMPLE
          Source: Yara matchFile source: 00000000.00000002.2205746713.00007FF7E2DC8000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000000.2108717389.00007FF7E2DC8000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: BrowserUpdate.exe PID: 1220, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected MicroClip
          Source: Yara matchFile source: BrowserUpdate.exe, type: SAMPLE
          Source: Yara matchFile source: 00000000.00000002.2205746713.00007FF7E2DC8000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000000.2108717389.00007FF7E2DC8000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: BrowserUpdate.exe PID: 1220, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
          Command and Scripting Interpreter          		1
          DLL Side-Loading          		1
          Abuse Elevation Control Mechanism          		32
          Virtualization/Sandbox Evasion          		11
          Input Capture          		731
          Security Software Discovery          		Remote Services11
          Input Capture          		2
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		1
          Software Packing          		LSASS Memory32
          Virtualization/Sandbox Evasion          		Remote Desktop ProtocolData from Removable Media1
          Non-Application Layer Protocol          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
          Abuse Elevation Control Mechanism          		Security Account Manager1
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive2
          Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          DLL Side-Loading          		NTDS113
          System Information Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          BrowserUpdate.exe3%ReversingLabs
          BrowserUpdate.exe5%VirustotalBrowse

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          15.164.165.52.in-addr.arpa1%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous0%URL Reputationsafe
          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd0%URL Reputationsafe
          https://pkg.go.dev/github.com/gin-gonic/gin#readme-don-t-trust-all-proxies0%Avira URL Cloudsafe
          https://protobuf.dev/reference/go/faq#namespace-conflict%s%sthis%s0%Avira URL Cloudsafe
          http://html4/loose.dtd0%Avira URL Cloudsafe
          https://crashpad.chromium.org/bug/new0%Avira URL Cloudsafe
          https://crashpad.chromium.org/0%Avira URL Cloudsafe
          http://.css0%Avira URL Cloudsafe
          http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web0%Avira URL Cloudsafe
          https://protobuf.dev/reference/go/faq#namespace-conflict%s%sthis%s0%VirustotalBrowse
          https://crashpad.chromium.org/0%VirustotalBrowse
          https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new0%Avira URL Cloudsafe
          http://.ocx.cabhtml:file::LowTelemetry0%Avira URL Cloudsafe
          http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web1%VirustotalBrowse
          https://crashpad.chromium.org/bug/new0%VirustotalBrowse
          https://github.com/gin-gonic/gin/blob/master/docs/doc.md#dont-trust-all-proxies0%Avira URL Cloudsafe
          https://pkg.go.dev/github.com/gin-gonic/gin#readme-don-t-trust-all-proxies0%VirustotalBrowse
          http://www.opengis.net/gml0%Avira URL Cloudsafe
          http://www.collada.org/2005/11/COLLADASchema0%Avira URL Cloudsafe
          https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new0%VirustotalBrowse
          http://www.topografix.com/GPX/1/10%Avira URL Cloudsafe
          http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=webreferrerEvalError0%Avira URL Cloudsafe
          http://www.opengis.net/gml0%VirustotalBrowse
          https://m.google.com/devicemanagement/data/api0%Avira URL Cloudsafe
          http://www.topografix.com/GPX/1/10%VirustotalBrowse
          http://earth.google.com/kml/2.20%Avira URL Cloudsafe
          http://www.collada.org/2005/11/COLLADASchema0%VirustotalBrowse
          http://earth.google.com/kml/2.00%Avira URL Cloudsafe
          http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtdWarning:0%Avira URL Cloudsafe
          https://dl.google.com/update2/installers/icons/0%Avira URL Cloudsafe
          http://earth.google.com/kml/2.10%Avira URL Cloudsafe
          https://m.google.com/devicemanagement/data/api0%VirustotalBrowse
          http://earth.google.com/kml/2.20%VirustotalBrowse
          http://earth.google.com/kml/2.00%VirustotalBrowse
          http://support.google.com/installer/0%Avira URL Cloudsafe
          https://github.com/gin-gonic/gin/blob/master/docs/doc.md#dont-trust-all-proxies0%VirustotalBrowse
          http://www.opengis.net/gml/3.20%Avira URL Cloudsafe
          http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v20%Avira URL Cloudsafe
          https://dl.google.com/update2/installers/icons/0%VirustotalBrowse
          http://support.google.com/installer/%s?product=%s&error=%d0%Avira URL Cloudsafe
          http://www.opengis.net/kml/2.20%Avira URL Cloudsafe
          http://www.opengis.net/gml/3.20%VirustotalBrowse
          http://earth.google.com/kml/2.10%VirustotalBrowse
          http://www.opengis.net/gml/3.3/exr0%Avira URL Cloudsafe
          http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v20%VirustotalBrowse
          http://.jpg0%Avira URL Cloudsafe
          http://wails.localhost/runtime.WindowReload();msSmartScreenProtection-//ietf//dtd0%Avira URL Cloudsafe
          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest0%Avira URL Cloudsafe
          http://www.opengis.net/kml/2.20%VirustotalBrowse
          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest0%VirustotalBrowse
          http://www.opengis.net/gml/3.3/exr0%VirustotalBrowse
          http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtdWarning:0%VirustotalBrowse

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          15.164.165.52.in-addr.arpa
          		unknown
          		unknownfalseunknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://html4/loose.dtdBrowserUpdate.exefalse
          • Avira URL Cloud: safe
          		unknown
          https://crashpad.chromium.org/BrowserUpdate.exefalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://pkg.go.dev/github.com/gin-gonic/gin#readme-don-t-trust-all-proxiesBrowserUpdate.exefalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousBrowserUpdate.exefalse
          • URL Reputation: safe
          		unknown
          https://crashpad.chromium.org/bug/newBrowserUpdate.exefalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://protobuf.dev/reference/go/faq#namespace-conflict%s%sthis%sBrowserUpdate.exefalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://.cssBrowserUpdate.exefalse
          • Avira URL Cloud: safe
          		unknown
          http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=webBrowserUpdate.exefalse
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://crashpad.chromium.org/https://crashpad.chromium.org/bug/newBrowserUpdate.exefalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://.ocx.cabhtml:file::LowTelemetryBrowserUpdate.exefalse
          • Avira URL Cloud: safe
          		unknown
          https://github.com/gin-gonic/gin/blob/master/docs/doc.md#dont-trust-all-proxiesBrowserUpdate.exefalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://www.opengis.net/gmlBrowserUpdate.exe, 00000000.00000002.2201160563.000000C000496000.00000004.00001000.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://www.collada.org/2005/11/COLLADASchemaBrowserUpdate.exefalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://www.topografix.com/GPX/1/1BrowserUpdate.exefalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=webreferrerEvalErrorBrowserUpdate.exefalse
          • Avira URL Cloud: safe
          		unknown
          https://m.google.com/devicemanagement/data/apiBrowserUpdate.exefalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://earth.google.com/kml/2.2BrowserUpdate.exefalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://earth.google.com/kml/2.0BrowserUpdate.exefalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtdWarning:BrowserUpdate.exefalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://dl.google.com/update2/installers/icons/BrowserUpdate.exefalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://earth.google.com/kml/2.1BrowserUpdate.exefalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://support.google.com/installer/BrowserUpdate.exefalse
          • Avira URL Cloud: safe
          		unknown
          http://www.opengis.net/gml/3.2BrowserUpdate.exefalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v2BrowserUpdate.exefalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://support.google.com/installer/%s?product=%s&error=%dBrowserUpdate.exefalse
          • Avira URL Cloud: safe
          		unknown
          http://www.opengis.net/kml/2.2BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000496000.00000004.00001000.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdBrowserUpdate.exefalse
          • URL Reputation: safe
          		unknown
          http://www.opengis.net/gml/3.3/exrBrowserUpdate.exefalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://.jpgBrowserUpdate.exefalse
          • Avira URL Cloud: safe
          		unknown
          http://wails.localhost/runtime.WindowReload();msSmartScreenProtection-//ietf//dtdBrowserUpdate.exefalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigestBrowserUpdate.exefalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          193.3.19.110
          		unknownDenmark
          		2107ARNES-NETAcademicandResearchNetworkofSloveniaSIfalse

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1472046
          Start date and time:2024-07-12 08:41:24 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 4m 20s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:4
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:BrowserUpdate.exe
          Detection:MAL
          Classification:mal84.troj.evad.winEXE@1/0@1/1
          EGA Information:Failed
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Stop behavior analysis, all processes terminated

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ocsps.ssl.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          ARNES-NETAcademicandResearchNetworkofSloveniaSIhttps://disk.yandex.ru/d/ArN8zL4WbJeexQGet hashmaliciousPanda StealerBrowse
          • 193.3.184.24
          http://atthespace.orgGet hashmaliciousPhisherBrowse
          • 193.3.19.51
          g5ns2jpAyk.elfGet hashmaliciousMiraiBrowse
          • 95.87.151.72
          https://angkorvilla.net/dzv3nGet hashmaliciousPhisherBrowse
          • 193.3.19.67
          RsxXCSXOUK.elfGet hashmaliciousUnknownBrowse
          • 141.255.194.243
          QJP0ekw0wX.elfGet hashmaliciousMiraiBrowse
          • 95.87.151.88
          HHzrOvo2d3.elfGet hashmaliciousUnknownBrowse
          • 109.127.255.133
          iFTZfjcn8I.elfGet hashmaliciousMiraiBrowse
          • 95.87.151.61
          http://ageofimmortalsgame.com/wth1uGet hashmaliciousPhisherBrowse
          • 193.3.19.67
          http://wwwlegals.comGet hashmaliciousUnknownBrowse
          • 193.3.17.197

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          No created / dropped files found

          Static File Info

          General

          File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
          Entropy (8bit):6.431534949992998
          TrID:
          • Win64 Executable (generic) (12005/4) 74.95%
          • Generic Win/DOS Executable (2004/3) 12.51%
          • DOS Executable Generic (2002/1) 12.50%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
          File name:BrowserUpdate.exe
          File size:55'469'264 bytes
          MD5:696b3679926998b45c806a1068ffcb75
          SHA1:87a680e3018d3604eea9b1d28915fac5172f30df
          SHA256:393b1fdda7c4af084743c56c27585366567a8446c6438753d20b0b9ee3e72541
          SHA512:1026d0ef5e716c2c85db3c42db300d6312bba3ff86f7f7b8d071903725702b9d0601eea15c05f5173a147c95e3263d0c15280fea3984fb14070f07a592b5942c
          SSDEEP:393216:4Om6IAUAYVtWlwRJtmWYAosedwrsUbX1YcWxAnwt6Csu5h4Lj92HygC5Ou2hFJ4d:kA7Yr6wRJtmdDQo0urM5NQTng
          TLSH:C3C77DD3B5D541E8C0AAD138C622A72BEA6F3C694B3193C72660B6551F33BD07E39B11
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&......y.....n..........@..............................U.....e.N...`... ............................

          File Icon

          Icon Hash:2f232d67b7934633

          Static PE Info

          General

          Entrypoint:0x14304ee6e
          Entrypoint Section:rcdata
          Digitally signed:true
          Imagebase:0x140000000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, TERMINAL_SERVER_AWARE
          Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:6
          OS Version Minor:1
          File Version Major:6
          File Version Minor:1
          Subsystem Version Major:6
          Subsystem Version Minor:1
          Import Hash:0d54db7fa2e518e83dc2999e4a3a4172

          Authenticode Signature

          Signature Valid:true
          Signature Issuer:CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
          Signature Validation Error:The operation completed successfully
          Error Number:0
          Not Before, Not After
          • 04/07/2024 09:15:01 04/07/2025 06:27:09
          Subject Chain
          • OID.1.3.6.1.4.1.311.60.2.1.3=CN, OID.2.5.4.15=Private Organization, CN="Hebei Yingtong Pipeline Co., Ltd.", SERIALNUMBER=91130900335872388P, O="Hebei Yingtong Pipeline Co., Ltd.", L=Cangzhou, S=Hebei, C=CN
          Version:3
          Thumbprint MD5:3AFEC48ADFA00ED083999F0A15FE4EE8
          Thumbprint SHA-1:B8B63B45242CF37561729AA4CB601CFE67E9DBFA
          Thumbprint SHA-256:D592E1FD6B5E33BF819D4A0CBE876A3E9BE9A3621B9EAF29A7BA5A11A3A6084C
          Serial:7F71AF692330002E03E1311EB8A8B7E0

          Entrypoint Preview

          Instruction
          push ebp
          jmp 00007F3BF8E32689h
          push ds

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x280d0000x90.edata
          IMAGE_DIRECTORY_ENTRY_IMPORT0x280e0410x64.idata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x11610000x16abd9c.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x34c202c0x2dbc4rcdata
          IMAGE_DIRECTORY_ENTRY_SECURITY0x34e3a100x2ac0rcdata
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x35580000x10.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x280f0280x28.tls
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x87e5a00x87e6009821f15ae7a9feb3a30733fe24160eeaunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .data0x8800000x1f75c00x1f7600aa1e75b8d62089e4350caf78c21cbac4False0.786530276105041data7.390200108113139IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rdata0xa780000x6261c00x6262001fe75010522fe6a2f13cb2f6212fe231unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .pdata0x109f0000x2db580x2dc0085be5361647e955e87e44d1e45e1a2ffFalse0.3962015454234973data5.966601038201182IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .xdata0x10cd0000xb540xc000d25e2f0db23d742779ce3e1900ef897False0.318359375data4.488149387638767IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .bss0x10ce0000x6a24c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .edata0x11390000x900x200cd2068c6f2aa9c77a6abe858b5a07682False0.228515625data1.8867632120161382IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .idata0x113a0000xdf80xe00a2a4fcf66d1d2188b42bad7c4cfd4288False0.07310267857142858data2.033612510254921IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .CRT0x113b0000x680x20044ce2550ca16ee5376997fbcd1c20370False0.076171875data0.3772912244293227IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .tls0x113c0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .reloc0x113d0000x235e40x23600e84c6500c9b9ffa342c9b6092af1c2e1False0.1652633613074205data5.4366798680078565IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
          .rsrc0x11610000x16abd9c0x16abe006b78a59f340bc33880fcf41f134c8686unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .edata0x280d0000x10000x2004a0919c9e141a2fa0b96d2ee89909b0fFalse0.228515625data1.8978833165347773IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .idata0x280e0000x10000x200efe9eb225d5565642bce4f5387c75dafFalse0.18359375data1.335140452532977IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .tls0x280f0000x10000x200e3c090febbdaf85bedd0e41c83696313False0.052734375data0.32010974348767507IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          rcdata0x28100000xd480000xd480009997b28a865f1371358d1c41fe909f80unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .reloc0x35580000x10000x1063ca11e0e96710bc9f098e98c47f9119False1.5GLS_BINARY_LSB_FIRST3.0IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          B70x11692780x46923a7-zip archive data, version 0.4EnglishUnited States0.5025863647460938
          BINARY0x15d24b40x1046a08PE32+ executable (DLL) (console) x86-64, for MS Windows0.5078086853027344
          BINARY0x2618ebc0x97c38PE32+ executable (DLL) (console) x86-64, for MS Windows0.48935208421811255
          RT_BITMAP0x26b0af40x1b38Device independent bitmap graphic, 48 x 48 x 24, image size 6912, resolution 2834 x 2834 px/mArabicSaudi Arabia0.46426521239954077
          RT_BITMAP0x26b262c0x1b28Device independent bitmap graphic, 48 x 48 x 24, image size 6912, resolution 2834 x 2834 px/mChineseTaiwan0.4626006904487917
          RT_BITMAP0x26b41540x1b28Device independent bitmap graphic, 48 x 48 x 24, image size 6912, resolution 2834 x 2834 px/mCzechCzech Republic0.4626006904487917
          RT_BITMAP0x26b5c7c0x1b28Device independent bitmap graphic, 48 x 48 x 24, image size 6912, resolution 2834 x 2834 px/mDanishDenmark0.4626006904487917
          RT_BITMAP0x26b77a40x1b28Device independent bitmap graphic, 48 x 48 x 24, image size 6912, resolution 2834 x 2834 px/mGermanGermany0.4626006904487917
          RT_BITMAP0x26b92cc0x1b28Device independent bitmap graphic, 48 x 48 x 24, image size 6912, resolution 2834 x 2834 px/mGreekGreece0.4626006904487917
          RT_BITMAP0x26badf40x1b28Device independent bitmap graphic, 48 x 48 x 24, image size 6912, resolution 2834 x 2834 px/mEnglishUnited States0.4626006904487917
          RT_BITMAP0x26bc91c0x1b28Device independent bitmap graphic, 48 x 48 x 24, image size 6912, resolution 2834 x 2834 px/mFinnishFinland0.4626006904487917
          RT_BITMAP0x26be4440x1b28Device independent bitmap graphic, 48 x 48 x 24, image size 6912, resolution 2834 x 2834 px/mFrenchFrance0.4626006904487917
          RT_BITMAP0x26bff6c0x1b28Device independent bitmap graphic, 48 x 48 x 24, image size 6912, resolution 2834 x 2834 px/mHebrewIsrael0.4626006904487917
          RT_BITMAP0x26c1a940x1b28Device independent bitmap graphic, 48 x 48 x 24, image size 6912, resolution 2834 x 2834 px/mHungarianHungary0.4626006904487917
          RT_BITMAP0x26c35bc0x1b28Device independent bitmap graphic, 48 x 48 x 24, image size 6912, resolution 2834 x 2834 px/mItalianItaly0.4626006904487917
          RT_BITMAP0x26c50e40x1b28Device independent bitmap graphic, 48 x 48 x 24, image size 6912, resolution 2834 x 2834 px/mJapaneseJapan0.4626006904487917
          RT_BITMAP0x26c6c0c0x1b28Device independent bitmap graphic, 48 x 48 x 24, image size 6912, resolution 2834 x 2834 px/mKoreanNorth Korea0.4626006904487917
          RT_BITMAP0x26c6c0c0x1b28Device independent bitmap graphic, 48 x 48 x 24, image size 6912, resolution 2834 x 2834 px/mKoreanSouth Korea0.4626006904487917
          RT_BITMAP0x26c87340x1b28Device independent bitmap graphic, 48 x 48 x 24, image size 6912, resolution 2834 x 2834 px/mDutchNetherlands0.4626006904487917
          RT_BITMAP0x26ca25c0x1b28Device independent bitmap graphic, 48 x 48 x 24, image size 6912, resolution 2834 x 2834 px/mNorwegianNorway0.4626006904487917
          RT_BITMAP0x26cbd840x1b28Device independent bitmap graphic, 48 x 48 x 24, image size 6912, resolution 2834 x 2834 px/mPolishPoland0.4626006904487917
          RT_BITMAP0x26cd8ac0x1b28Device independent bitmap graphic, 48 x 48 x 24, image size 6912, resolution 2834 x 2834 px/mPortugueseBrazil0.4626006904487917
          RT_BITMAP0x26cf3d40x1b48Device independent bitmap graphic, 48 x 48 x 24, image size 6912, resolution 2834 x 2834 px/mRussianRussia0.4667812142038946
          RT_BITMAP0x26d0f1c0x1b28Device independent bitmap graphic, 48 x 48 x 24, image size 6912, resolution 2834 x 2834 px/mSwedishSweden0.4626006904487917
          RT_BITMAP0x26d2a440x1b28Device independent bitmap graphic, 48 x 48 x 24, image size 6912, resolution 2834 x 2834 px/mTurkishTurkey0.4626006904487917
          RT_BITMAP0x26d456c0x1b28Device independent bitmap graphic, 48 x 48 x 24, image size 6912, resolution 2834 x 2834 px/mChineseChina0.4626006904487917
          RT_BITMAP0x26d60940x1b28Device independent bitmap graphic, 48 x 48 x 24, image size 6912, resolution 2834 x 2834 px/mPortuguesePortugal0.4626006904487917
          RT_BITMAP0x26d7bbc0x1b28Device independent bitmap graphic, 48 x 48 x 24, image size 6912, resolution 2834 x 2834 px/m0.4626006904487917
          RT_ICON0x26d96e40x128Device independent bitmap graphic, 16 x 32 x 4, image size 192, 16 important colorsEnglishUnited States0.6317567567567568
          RT_ICON0x26d980c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colorsEnglishUnited States0.5823699421965318
          RT_ICON0x26d9d740x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640, 16 important colorsEnglishUnited States0.5120967741935484
          RT_ICON0x26da05c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.5455776173285198
          RT_ICON0x26da9040x668Device independent bitmap graphic, 48 x 96 x 4, image size 1536EnglishUnited States0.36341463414634145
          RT_ICON0x26daf6c0xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2688EnglishUnited States0.42350746268656714
          RT_DIALOG0x26dbe140x1eadataArabicSaudi Arabia0.5530612244897959
          RT_DIALOG0x26dc0000x128dataChineseTaiwan0.6993243243243243
          RT_DIALOG0x26dc1280x1e8dataCzechCzech Republic0.569672131147541
          RT_DIALOG0x26dc3100x23adataDanishDenmark0.5263157894736842
          RT_DIALOG0x26dc54c0x1f2dataGermanGermany0.572289156626506
          RT_DIALOG0x26dc7400x222dataGreekGreece0.5494505494505495
          RT_DIALOG0x26dc9640x1e4dataEnglishUnited States0.5516528925619835
          RT_DIALOG0x26dcb480x200dataFinnishFinland0.53125
          RT_DIALOG0x26dcd480x230dataFrenchFrance0.5178571428571429
          RT_DIALOG0x26dcf780x1d4dataHebrewIsrael0.5769230769230769
          RT_DIALOG0x26dd14c0x22adataHungarianHungary0.5216606498194946
          RT_DIALOG0x26dd3780x236dataItalianItaly0.47703180212014135
          RT_DIALOG0x26dd5b00x158dataJapaneseJapan0.7267441860465116
          RT_DIALOG0x26dd7080x14edataKoreanNorth Korea0.6586826347305389
          RT_DIALOG0x26dd7080x14edataKoreanSouth Korea0.6586826347305389
          RT_DIALOG0x26dd8580x27cdataDutchNetherlands0.46540880503144655
          RT_DIALOG0x26ddad40x1fedataNorwegianNorway0.5490196078431373
          RT_DIALOG0x26ddcd40x240dataPolishPoland0.5173611111111112
          RT_DIALOG0x26ddf140x232dataPortugueseBrazil0.5355871886120996
          RT_DIALOG0x26de1480x20edataRussianRussia0.5285171102661597
          RT_DIALOG0x26de3580x1e4dataSwedishSweden0.5681818181818182
          RT_DIALOG0x26de53c0x21adataTurkishTurkey0.5669144981412639
          RT_DIALOG0x26de7580x126dataChineseChina0.717687074829932
          RT_DIALOG0x26de8800x228dataPortuguesePortugal0.5307971014492754
          RT_DIALOG0x26deaa80x246data0.5120274914089347
          RT_DIALOG0x26decf00x4c2dataArabicSaudi Arabia0.4269293924466338
          RT_DIALOG0x26df1b40x27cdataChineseTaiwan0.5628930817610063
          RT_DIALOG0x26df4300x53cdataCzechCzech Republic0.4044776119402985
          RT_DIALOG0x26df96c0x56cdataDanishDenmark0.38328530259365995
          RT_DIALOG0x26dfed80x5d2dataGermanGermany0.37718120805369126
          RT_DIALOG0x26e04ac0x5f6dataGreekGreece0.3951507208387942
          RT_DIALOG0x26e0aa40x4eadataEnglishUnited States0.38235294117647056
          RT_DIALOG0x26e0f900x4b6dataFinnishFinland0.3814262023217247
          RT_DIALOG0x26e14480x566dataFrenchFrance0.36396526772793053
          RT_DIALOG0x26e19b00x476dataHebrewIsrael0.43695271453590195
          RT_DIALOG0x26e1e280x540dataHungarianHungary0.4099702380952381
          RT_DIALOG0x26e23680x582dataItalianItaly0.37375886524822693
          RT_DIALOG0x26e28ec0x366dataJapaneseJapan0.5287356321839081
          RT_DIALOG0x26e2c540x32edataKoreanNorth Korea0.5528255528255528
          RT_DIALOG0x26e2c540x32edataKoreanSouth Korea0.5528255528255528
          RT_DIALOG0x26e2f840x558dataDutchNetherlands0.3713450292397661
          RT_DIALOG0x26e34dc0x4fedataNorwegianNorway0.3755868544600939
          RT_DIALOG0x26e39dc0x55cdataPolishPoland0.39577259475218657
          RT_DIALOG0x26e3f380x560dataPortugueseBrazil0.3633720930232558
          RT_DIALOG0x26e44980x538dataRussianRussia0.40194610778443113
          RT_DIALOG0x26e49d00x538dataSwedishSweden0.38997005988023953
          RT_DIALOG0x26e4f080x526dataTurkishTurkey0.3899848254931715
          RT_DIALOG0x26e54300x296dataChineseChina0.5634441087613293
          RT_DIALOG0x26e56c80x54edataPortuguesePortugal0.3711340206185567
          RT_DIALOG0x26e5c180x54cdata0.37168141592920356
          RT_DIALOG0x26e61640x3dcdataArabicSaudi Arabia0.4493927125506073
          RT_DIALOG0x26e65400x206dataChineseTaiwan0.6795366795366795
          RT_DIALOG0x26e67480x4cedataCzechCzech Republic0.4195121951219512
          RT_DIALOG0x26e6c180x4f6dataDanishDenmark0.38661417322834646
          RT_DIALOG0x26e71100x590dataGermanGermany0.3728932584269663
          RT_DIALOG0x26e76a00x4e0dataGreekGreece0.4423076923076923
          RT_DIALOG0x26e7b800x438dataEnglishUnited States0.42314814814814816
          RT_DIALOG0x26e7fb80x48cdataFinnishFinland0.3805841924398625
          RT_DIALOG0x26e84440x4e6dataFrenchFrance0.39553429027113235
          RT_DIALOG0x26e892c0x3a6dataHebrewIsrael0.4539614561027837
          RT_DIALOG0x26e8cd40x4fcdataHungarianHungary0.42398119122257055
          RT_DIALOG0x26e91d00x506dataItalianItaly0.37636080870917576
          RT_DIALOG0x26e96d80x2f2dataJapaneseJapan0.5848806366047745
          RT_DIALOG0x26e99cc0x2c8dataKoreanNorth Korea0.601123595505618
          RT_DIALOG0x26e99cc0x2c8dataKoreanSouth Korea0.601123595505618
          RT_DIALOG0x26e9c940x4b8dataDutchNetherlands0.396523178807947
          RT_DIALOG0x26ea14c0x434dataNorwegianNorway0.41821561338289964
          RT_DIALOG0x26ea5800x560dataPolishPoland0.3873546511627907
          RT_DIALOG0x26eaae00x4a4dataPortugueseBrazil0.4166666666666667
          RT_DIALOG0x26eaf840x486dataRussianRussia0.4119170984455959
          RT_DIALOG0x26eb40c0x46cdataSwedishSweden0.3992932862190813
          RT_DIALOG0x26eb8780x426dataTurkishTurkey0.4152542372881356
          RT_DIALOG0x26ebca00x1fcdataChineseChina0.6692913385826772
          RT_DIALOG0x26ebe9c0x52cdataPortuguesePortugal0.38972809667673713
          RT_DIALOG0x26ec3c80x4d2data0.38168557536466774
          RT_DIALOG0x26ec89c0x198dataArabicSaudi Arabia0.5098039215686274
          RT_DIALOG0x26eca340x168dataChineseTaiwan0.49166666666666664
          RT_DIALOG0x26ecb9c0x198dataCzechCzech Republic0.49754901960784315
          RT_DIALOG0x26ecd340x1a8dataDanishDenmark0.49292452830188677
          RT_DIALOG0x26ecedc0x1d8dataGermanGermany0.4788135593220339
          RT_DIALOG0x26ed0b40x1d4dataGreekGreece0.5277777777777778
          RT_DIALOG0x26ed2880x1a4dataEnglishUnited States0.47619047619047616
          RT_DIALOG0x26ed42c0x1acdataFinnishFinland0.49065420560747663
          RT_DIALOG0x26ed5d80x1c4dataFrenchFrance0.4756637168141593
          RT_DIALOG0x26ed79c0x190dataHebrewIsrael0.525
          RT_DIALOG0x26ed92c0x1b0dataHungarianHungary0.5092592592592593
          RT_DIALOG0x26edadc0x1acdataItalianItaly0.4976635514018692
          RT_DIALOG0x26edc880x184dataJapaneseJapan0.5257731958762887
          RT_DIALOG0x26ede0c0x16cdataKoreanNorth Korea0.4835164835164835
          RT_DIALOG0x26ede0c0x16cdataKoreanSouth Korea0.4835164835164835
          RT_DIALOG0x26edf780x1acdataDutchNetherlands0.48598130841121495
          RT_DIALOG0x26ee1240x19cdataNorwegianNorway0.49029126213592233
          RT_DIALOG0x26ee2c00x1bcdataPolishPoland0.5202702702702703
          RT_DIALOG0x26ee47c0x1acdataPortugueseBrazil0.4929906542056075
          RT_DIALOG0x26ee6280x1b4dataRussianRussia0.4954128440366973
          RT_DIALOG0x26ee7dc0x1a4dataSwedishSweden0.4857142857142857
          RT_DIALOG0x26ee9800x1a0dataTurkishTurkey0.49278846153846156
          RT_DIALOG0x26eeb200x164dataChineseChina0.48314606741573035
          RT_DIALOG0x26eec840x1b0dataPortuguesePortugal0.5092592592592593
          RT_DIALOG0x26eee340x1b4data0.46788990825688076
          RT_DIALOG0x26eefe80x346dataArabicSaudi Arabia0.4737470167064439
          RT_DIALOG0x26ef3300x1a8dataChineseTaiwan0.7334905660377359
          RT_DIALOG0x26ef4d80x3aadataCzechCzech Republic0.43816631130063965
          RT_DIALOG0x26ef8840x42edataDanishDenmark0.402803738317757
          RT_DIALOG0x26efcb40x48adataGermanGermany0.3795180722891566
          RT_DIALOG0x26f01400x4b6dataGreekGreece0.42371475953565507
          RT_DIALOG0x26f05f80x394dataEnglishUnited States0.4203056768558952
          RT_DIALOG0x26f098c0x3ecdataFinnishFinland0.39641434262948205
          RT_DIALOG0x26f0d780x46adataFrenchFrance0.38495575221238937
          RT_DIALOG0x26f11e40x2f6dataHebrewIsrael0.46965699208443273
          RT_DIALOG0x26f14dc0x422dataHungarianHungary0.4168241965973535
          RT_DIALOG0x26f19000x418dataItalianItaly0.3816793893129771
          RT_DIALOG0x26f1d180x24cdataJapaneseJapan0.6258503401360545
          RT_DIALOG0x26f1f640x21cdataKoreanNorth Korea0.6388888888888888
          RT_DIALOG0x26f1f640x21cdataKoreanSouth Korea0.6388888888888888
          RT_DIALOG0x26f21800x452dataDutchNetherlands0.3860759493670886
          RT_DIALOG0x26f25d40x3aadataNorwegianNorway0.4147121535181237
          RT_DIALOG0x26f29800x44edataPolishPoland0.4319419237749546
          RT_DIALOG0x26f2dd00x3d4dataPortugueseBrazil0.42244897959183675
          RT_DIALOG0x26f31a40x3d8dataRussianRussia0.42784552845528456
          RT_DIALOG0x26f357c0x418dataSwedishSweden0.3816793893129771
          RT_DIALOG0x26f39940x3ecdataTurkishTurkey0.4203187250996016
          RT_DIALOG0x26f3d800x194dataChineseChina0.7227722772277227
          RT_DIALOG0x26f3f140x416dataPortuguesePortugal0.4005736137667304
          RT_DIALOG0x26f432c0x426data0.384180790960452
          RT_DIALOG0x26f47540x3a0dataArabicSaudi Arabia0.44288793103448276
          RT_DIALOG0x26f4af40x20cdataChineseTaiwan0.7175572519083969
          RT_DIALOG0x26f4d000x426dataCzechCzech Republic0.4491525423728814
          RT_DIALOG0x26f51280x44adataDanishDenmark0.41530054644808745
          RT_DIALOG0x26f55740x448dataGermanGermany0.41058394160583944
          RT_DIALOG0x26f59bc0x536dataGreekGreece0.4295352323838081
          RT_DIALOG0x26f5ef40x3fcdataEnglishUnited States0.43137254901960786
          RT_DIALOG0x26f62f00x50cdataFinnishFinland0.37306501547987614
          RT_DIALOG0x26f67fc0x4cadataFrenchFrance0.398858075040783
          RT_DIALOG0x26f6cc80x374dataHebrewIsrael0.4819004524886878
          RT_DIALOG0x26f703c0x476dataHungarianHungary0.45271453590192645
          RT_DIALOG0x26f74b40x448dataItalianItaly0.41514598540145986
          RT_DIALOG0x26f78fc0x2a4dataJapaneseJapan0.6301775147928994
          RT_DIALOG0x26f7ba00x262dataKoreanNorth Korea0.6524590163934426
          RT_DIALOG0x26f7ba00x262dataKoreanSouth Korea0.6524590163934426
          RT_DIALOG0x26f7e040x4c4dataDutchNetherlands0.38278688524590165
          RT_DIALOG0x26f82c80x3a2dataNorwegianNorway0.432258064516129
          RT_DIALOG0x26f866c0x478dataPolishPoland0.4458041958041958
          RT_DIALOG0x26f8ae40x43edataPortugueseBrazil0.429097605893186
          RT_DIALOG0x26f8f240x460dataRussianRussia0.4419642857142857
          RT_DIALOG0x26f93840x41cdataSwedishSweden0.42490494296577946
          RT_DIALOG0x26f97a00x442dataTurkishTurkey0.43944954128440367
          RT_DIALOG0x26f9be40x1f2dataChineseChina0.714859437751004
          RT_DIALOG0x26f9dd80x48edataPortuguesePortugal0.41080617495711835
          RT_DIALOG0x26fa2680x47edata0.4017391304347826
          RT_DIALOG0x26fa6e80x210dataArabicSaudi Arabia0.5340909090909091
          RT_DIALOG0x26fa8f80x120dataChineseTaiwan0.7361111111111112
          RT_DIALOG0x26faa180x224dataCzechCzech Republic0.541970802919708
          RT_DIALOG0x26fac3c0x264dataDanishDenmark0.5016339869281046
          RT_DIALOG0x26faea00x288dataGermanGermany0.48919753086419754
          RT_DIALOG0x26fb1280x294dataGreekGreece0.5257575757575758
          RT_DIALOG0x26fb3bc0x26cdataEnglishUnited States0.47096774193548385
          RT_DIALOG0x26fb6280x23cdataFinnishFinland0.4737762237762238
          RT_DIALOG0x26fb8640x2a8dataFrenchFrance0.47205882352941175
          RT_DIALOG0x26fbb0c0x1b4dataHebrewIsrael0.6032110091743119
          RT_DIALOG0x26fbcc00x254dataHungarianHungary0.48825503355704697
          RT_DIALOG0x26fbf140x220dataItalianItaly0.5183823529411765
          RT_DIALOG0x26fc1340x168dataJapaneseJapan0.7166666666666667
          RT_DIALOG0x26fc29c0x158dataKoreanNorth Korea0.6918604651162791
          RT_DIALOG0x26fc29c0x158dataKoreanSouth Korea0.6918604651162791
          RT_DIALOG0x26fc3f40x2a8dataDutchNetherlands0.47941176470588237
          RT_DIALOG0x26fc69c0x23cdataNorwegianNorway0.4982517482517482
          RT_DIALOG0x26fc8d80x254dataPolishPoland0.5033557046979866
          RT_DIALOG0x26fcb2c0x294dataPortugueseBrazil0.45606060606060606
          RT_DIALOG0x26fcdc00x214dataRussianRussia0.5469924812030075
          RT_DIALOG0x26fcfd40x268dataSwedishSweden0.4967532467532468
          RT_DIALOG0x26fd23c0x26cdataTurkishTurkey0.49193548387096775
          RT_DIALOG0x26fd4a80x114dataChineseChina0.7246376811594203
          RT_DIALOG0x26fd5bc0x270dataPortuguesePortugal0.48717948717948717
          RT_DIALOG0x26fd82c0x2a0data0.45535714285714285
          RT_DIALOG0x26fdacc0x464dataArabicSaudi Arabia0.4706405693950178
          RT_DIALOG0x26fdf300x300dataChineseTaiwan0.5755208333333334
          RT_DIALOG0x26fe2300x4d8dataCzechCzech Republic0.4258064516129032
          RT_DIALOG0x26fe7080x53cdataDanishDenmark0.41492537313432837
          RT_DIALOG0x26fec440x5c0dataGermanGermany0.40625
          RT_DIALOG0x26ff2040x590dataGreekGreece0.4515449438202247
          RT_DIALOG0x26ff7940x470dataEnglishUnited States0.43661971830985913
          RT_DIALOG0x26ffc040x4d8dataFinnishFinland0.43629032258064515
          RT_DIALOG0x27000dc0x56cdataFrenchFrance0.41714697406340057
          RT_DIALOG0x27006480x434dataHebrewIsrael0.4804832713754647
          RT_DIALOG0x2700a7c0x514dataHungarianHungary0.44769230769230767
          RT_DIALOG0x2700f900x5c0dataItalianItaly0.3960597826086957
          RT_DIALOG0x27015500x384dataJapaneseJapan0.5588888888888889
          RT_DIALOG0x27018d40x36cdataKoreanNorth Korea0.5730593607305936
          RT_DIALOG0x27018d40x36cdataKoreanSouth Korea0.5730593607305936
          RT_DIALOG0x2701c400x5e4dataDutchNetherlands0.393236074270557
          RT_DIALOG0x27022240x4e4dataNorwegianNorway0.4249201277955272
          RT_DIALOG0x27027080x540dataPolishPoland0.4263392857142857
          RT_DIALOG0x2702c480x4dcdataPortugueseBrazil0.42443729903536975
          RT_DIALOG0x27031240x518dataRussianRussia0.4516871165644172
          RT_DIALOG0x270363c0x500dataSwedishSweden0.4328125
          RT_DIALOG0x2703b3c0x540dataTurkishTurkey0.42336309523809523
          RT_DIALOG0x270407c0x2fcdataChineseChina0.6007853403141361
          RT_DIALOG0x27043780x4f8dataPortuguesePortugal0.4143081761006289
          RT_DIALOG0x27048700x51cdata0.40214067278287463
          RT_DIALOG0x2704d8c0x40cdataArabicSaudi Arabia0.4420849420849421
          RT_DIALOG0x27051980x270dataChineseTaiwan0.6378205128205128
          RT_DIALOG0x27054080x48adataCzechCzech Republic0.4259896729776248
          RT_DIALOG0x27058940x4a8dataDanishDenmark0.40268456375838924
          RT_DIALOG0x2705d3c0x51cdataGermanGermany0.386085626911315
          RT_DIALOG0x27062580x52cdataGreekGreece0.43202416918429004
          RT_DIALOG0x27067840x48cdataEnglishUnited States0.4106529209621993
          RT_DIALOG0x2706c100x470dataFinnishFinland0.3970070422535211
          RT_DIALOG0x27070800x510dataFrenchFrance0.3896604938271605
          RT_DIALOG0x27075900x3a6dataHebrewIsrael0.4743040685224839
          RT_DIALOG0x27079380x4c0dataHungarianHungary0.42105263157894735
          RT_DIALOG0x2707df80x49adataItalianItaly0.40237691001697795
          RT_DIALOG0x27082940x320dataJapaneseJapan0.58
          RT_DIALOG0x27085b40x30edataKoreanNorth Korea0.5959079283887468
          RT_DIALOG0x27085b40x30edataKoreanSouth Korea0.5959079283887468
          RT_DIALOG0x27088c40x50adataDutchNetherlands0.3883720930232558
          RT_DIALOG0x2708dd00x484dataNorwegianNorway0.39792387543252594
          RT_DIALOG0x27092540x52cdataPolishPoland0.4078549848942598
          RT_DIALOG0x27097800x49edataPortugueseBrazil0.4365482233502538
          RT_DIALOG0x2709c200x4c2dataRussianRussia0.4376026272577997
          RT_DIALOG0x270a0e40x4bcdataSwedishSweden0.39026402640264024
          RT_DIALOG0x270a5a00x4badataTurkishTurkey0.4033057851239669
          RT_DIALOG0x270aa5c0x264dataChineseChina0.6372549019607843
          RT_DIALOG0x270acc00x4c0dataPortuguesePortugal0.39555921052631576
          RT_DIALOG0x270b1800x4a8data0.39429530201342283
          RT_DIALOG0x270b6280x1d6dataArabicSaudi Arabia0.6191489361702127
          RT_DIALOG0x270b8000x12cdataChineseTaiwan0.7966666666666666
          RT_DIALOG0x270b92c0x210dataCzechCzech Republic0.5757575757575758
          RT_DIALOG0x270bb3c0x258dataDanishDenmark0.505
          RT_DIALOG0x270bd940x240dataGermanGermany0.5347222222222222
          RT_DIALOG0x270bfd40x244dataGreekGreece0.5982758620689655
          RT_DIALOG0x270c2180x1dcdataEnglishUnited States0.5546218487394958
          RT_DIALOG0x270c3f40x200dataFinnishFinland0.541015625
          RT_DIALOG0x270c5f40x21cdataFrenchFrance0.5407407407407407
          RT_DIALOG0x270c8100x1b2dataHebrewIsrael0.6336405529953917
          RT_DIALOG0x270c9c40x208dataHungarianHungary0.5711538461538461
          RT_DIALOG0x270cbcc0x214dataItalianItaly0.5451127819548872
          RT_DIALOG0x270cde00x174dataJapaneseJapan0.7231182795698925
          RT_DIALOG0x270cf540x150dataKoreanNorth Korea0.7857142857142857
          RT_DIALOG0x270cf540x150dataKoreanSouth Korea0.7857142857142857
          RT_DIALOG0x270d0a40x234dataDutchNetherlands0.5124113475177305
          RT_DIALOG0x270d2d80x1e4dataNorwegianNorway0.5475206611570248
          RT_DIALOG0x270d4bc0x214dataPolishPoland0.5845864661654135
          RT_DIALOG0x270d6d00x244dataPortugueseBrazil0.5206896551724138
          RT_DIALOG0x270d9140x21cdataRussianRussia0.5814814814814815
          RT_DIALOG0x270db300x228dataSwedishSweden0.532608695652174
          RT_DIALOG0x270dd580x21edataTurkishTurkey0.5424354243542435
          RT_DIALOG0x270df780x11cdataChineseChina0.778169014084507
          RT_DIALOG0x270e0940x20cdataPortuguesePortugal0.5458015267175572
          RT_DIALOG0x270e2a00x24adata0.5187713310580204
          RT_DIALOG0x270e4ec0x376dataArabicSaudi Arabia0.5316027088036117
          RT_DIALOG0x270e8640x248dataChineseTaiwan0.696917808219178
          RT_DIALOG0x270eaac0x388dataCzechCzech Republic0.5353982300884956
          RT_DIALOG0x270ee340x390dataDanishDenmark0.48793859649122806
          RT_DIALOG0x270f1c40x3d6dataGermanGermany0.47046843177189407
          RT_DIALOG0x270f59c0x3f6dataGreekGreece0.5374753451676528
          RT_DIALOG0x270f9940x398dataEnglishUnited States0.4891304347826087
          RT_DIALOG0x270fd2c0x372dataFinnishFinland0.4965986394557823
          RT_DIALOG0x27100a00x3eedataFrenchFrance0.4870775347912525
          RT_DIALOG0x27104900x326dataHebrewIsrael0.5483870967741935
          RT_DIALOG0x27107b80x3fadataHungarianHungary0.5049115913555993
          RT_DIALOG0x2710bb40x39edataItalianItaly0.49136069114470843
          RT_DIALOG0x2710f540x2bedataJapaneseJapan0.6410256410256411
          RT_DIALOG0x27112140x298dataKoreanNorth Korea0.6807228915662651
          RT_DIALOG0x27112140x298dataKoreanSouth Korea0.6807228915662651
          RT_DIALOG0x27114ac0x412dataDutchNetherlands0.46641074856046066
          RT_DIALOG0x27118c00x3c4dataNorwegianNorway0.47199170124481327
          RT_DIALOG0x2711c840x3d8dataPolishPoland0.5091463414634146
          RT_DIALOG0x271205c0x3f0dataPortugueseBrazil0.49007936507936506
          RT_DIALOG0x271244c0x390dataRussianRussia0.5471491228070176
          RT_DIALOG0x27127dc0x390dataSwedishSweden0.4956140350877193
          RT_DIALOG0x2712b6c0x3f2dataTurkishTurkey0.5
          RT_DIALOG0x2712f600x238dataChineseChina0.6813380281690141
          RT_DIALOG0x27131980x3f4dataPortuguesePortugal0.4782608695652174
          RT_DIALOG0x271358c0x400data0.46875
          RT_DIALOG0x271398c0x1f2dataArabicSaudi Arabia0.6004016064257028
          RT_DIALOG0x2713b800x144dataChineseTaiwan0.7376543209876543
          RT_DIALOG0x2713cc40x204dataCzechCzech Republic0.5891472868217055
          RT_DIALOG0x2713ec80x224dataDanishDenmark0.551094890510949
          RT_DIALOG0x27140ec0x206dataGermanGermany0.5347490347490348
          RT_DIALOG0x27142f40x246dataGreekGreece0.5859106529209622
          RT_DIALOG0x271453c0x218dataEnglishUnited States0.5466417910447762
          RT_DIALOG0x27147540x236dataFinnishFinland0.5265017667844523
          RT_DIALOG0x271498c0x246dataFrenchFrance0.5395189003436426
          RT_DIALOG0x2714bd40x1cedataHebrewIsrael0.6233766233766234
          RT_DIALOG0x2714da40x24adataHungarianHungary0.5580204778156996
          RT_DIALOG0x2714ff00x222dataItalianItaly0.5366300366300366
          RT_DIALOG0x27152140x1aedataJapaneseJapan0.6953488372093023
          RT_DIALOG0x27153c40x170dataKoreanNorth Korea0.7336956521739131
          RT_DIALOG0x27153c40x170dataKoreanSouth Korea0.7336956521739131
          RT_DIALOG0x27155340x256dataDutchNetherlands0.520066889632107
          RT_DIALOG0x271578c0x1f4dataNorwegianNorway0.564
          RT_DIALOG0x27159800x218dataPolishPoland0.5671641791044776
          RT_DIALOG0x2715b980x24cdataPortugueseBrazil0.5357142857142857
          RT_DIALOG0x2715de40x1fcdataRussianRussia0.5885826771653543
          RT_DIALOG0x2715fe00x1f8dataSwedishSweden0.5674603174603174
          RT_DIALOG0x27161d80x222dataTurkishTurkey0.5677655677655677
          RT_DIALOG0x27163fc0x148dataChineseChina0.7469512195121951
          RT_DIALOG0x27165440x264dataPortuguesePortugal0.5196078431372549
          RT_DIALOG0x27167a80x27cdata0.5141509433962265
          RT_DIALOG0x2716a240x2f6dataArabicSaudi Arabia0.43535620052770446
          RT_DIALOG0x2716d1c0x15adataChineseTaiwan0.6907514450867052
          RT_DIALOG0x2716e780x398dataCzechCzech Republic0.425
          RT_DIALOG0x27172100x31cdataDanishDenmark0.40954773869346733
          RT_DIALOG0x271752c0x35edataGermanGermany0.39211136890951276
          RT_DIALOG0x271788c0x35adataGreekGreece0.4417249417249417
          RT_DIALOG0x2717be80x2d4dataEnglishUnited States0.4005524861878453
          RT_DIALOG0x2717ebc0x32cdataFinnishFinland0.3977832512315271
          RT_DIALOG0x27181e80x392dataFrenchFrance0.37199124726477023
          RT_DIALOG0x271857c0x274dataHebrewIsrael0.46496815286624205
          RT_DIALOG0x27187f00x3f8dataHungarianHungary0.3937007874015748
          RT_DIALOG0x2718be80x376dataItalianItaly0.38487584650112866
          RT_DIALOG0x2718f600x228dataJapaneseJapan0.5742753623188406
          RT_DIALOG0x27191880x1eadataKoreanNorth Korea0.6081632653061224
          RT_DIALOG0x27191880x1eadataKoreanSouth Korea0.6081632653061224
          RT_DIALOG0x27193740x39cdataDutchNetherlands0.36796536796536794
          RT_DIALOG0x27197100x2d4dataNorwegianNorway0.4074585635359116
          RT_DIALOG0x27199e40x35edataPolishPoland0.38979118329466356
          RT_DIALOG0x2719d440x34edataPortugueseBrazil0.39361702127659576
          RT_DIALOG0x271a0940x340dataRussianRussia0.4014423076923077
          RT_DIALOG0x271a3d40x284dataSwedishSweden0.4363354037267081
          RT_DIALOG0x271a6580x338dataTurkishTurkey0.41262135922330095
          RT_DIALOG0x271a9900x158dataChineseChina0.7151162790697675
          RT_DIALOG0x271aae80x336dataPortuguesePortugal0.4002433090024331
          RT_DIALOG0x271ae200x360data0.3773148148148148
          RT_DIALOG0x271b1800xb8dataArabicSaudi Arabia0.717391304347826
          RT_DIALOG0x271b2380xa0dataChineseTaiwan0.71875
          RT_DIALOG0x271b2d80xb0dataCzechCzech Republic0.6875
          RT_DIALOG0x271b3880xb0dataDanishDenmark0.6875
          RT_DIALOG0x271b4380xb0dataGermanGermany0.6875
          RT_DIALOG0x271b4e80xb0dataGreekGreece0.6875
          RT_DIALOG0x271b5980xb0dataEnglishUnited States0.6931818181818182
          RT_DIALOG0x271b6480xb0dataFinnishFinland0.6875
          RT_DIALOG0x271b6f80xb0dataFrenchFrance0.6875
          RT_DIALOG0x271b7a80xb8dataHebrewIsrael0.717391304347826
          RT_DIALOG0x271b8600xb0dataHungarianHungary0.6875
          RT_DIALOG0x271b9100xb0dataItalianItaly0.6875
          RT_DIALOG0x271b9c00xacdataJapaneseJapan0.6976744186046512
          RT_DIALOG0x271ba6c0x9cdataKoreanNorth Korea0.7115384615384616
          RT_DIALOG0x271ba6c0x9cdataKoreanSouth Korea0.7115384615384616
          RT_DIALOG0x271bb080xb0dataDutchNetherlands0.6875
          RT_DIALOG0x271bbb80xb0dataNorwegianNorway0.6875
          RT_DIALOG0x271bc680xb0dataPolishPoland0.6875
          RT_DIALOG0x271bd180xb0dataPortugueseBrazil0.6875
          RT_DIALOG0x271bdc80xb0dataRussianRussia0.6988636363636364
          RT_DIALOG0x271be780xb0dataSwedishSweden0.6875
          RT_DIALOG0x271bf280xb8dataTurkishTurkey0.6739130434782609
          RT_DIALOG0x271bfe00x9cdataChineseChina0.7051282051282052
          RT_DIALOG0x271c07c0xb0dataPortuguesePortugal0.6875
          RT_DIALOG0x271c12c0xbcdata0.6968085106382979
          RT_STRING0x271c1e80x51cdataArabicSaudi Arabia0.4319571865443425
          RT_STRING0x271c7040x294dataChineseTaiwan0.7151515151515152
          RT_STRING0x271c9980x61adataCzechCzech Republic0.40717029449423814
          RT_STRING0x271cfb40x60adataDanishDenmark0.3745148771021992
          RT_STRING0x271d5c00x5d6dataGermanGermany0.3969210174029451
          RT_STRING0x271db980x638dataGreekGreece0.4214824120603015
          RT_STRING0x271e1d00x506dataEnglishUnited States0.40279937791601866
          RT_STRING0x271e6d80x54edataFinnishFinland0.3807069219440353
          RT_STRING0x271ec280x5f8dataFrenchFrance0.35602094240837695
          RT_STRING0x271f2200x49edataHebrewIsrael0.461082910321489
          RT_STRING0x271f6c00x522dataHungarianHungary0.4345509893455099
          RT_STRING0x271fbe40x57edataItalianItaly0.3940256045519203
          RT_STRING0x27201640x3badataJapaneseJapan0.5974842767295597
          RT_STRING0x27205200x338dataKoreanNorth Korea0.6395631067961165
          RT_STRING0x27205200x338dataKoreanSouth Korea0.6395631067961165
          RT_STRING0x27208580x67cdataDutchNetherlands0.33674698795180724
          RT_STRING0x2720ed40x53cdataNorwegianNorway0.3738805970149254
          RT_STRING0x27214100x5e6dataPolishPoland0.40463576158940395
          RT_STRING0x27219f80x618dataPortugueseBrazil0.37243589743589745
          RT_STRING0x27220100x5e4dataRussianRussia0.3879310344827586
          RT_STRING0x27225f40x5c2dataSwedishSweden0.3805970149253731
          RT_STRING0x2722bb80x5a8dataTurkishTurkey0.40124309392265195
          RT_STRING0x27231600x282dataChineseChina0.7133956386292835
          RT_STRING0x27233e40x5d0dataPortuguesePortugal0.364247311827957
          RT_STRING0x27239b40x604data0.3538961038961039
          RT_STRING0x2723fb80x368edataArabicSaudi Arabia0.25590720320779037
          RT_STRING0x27276480x16bcdataChineseTaiwan0.5036082474226804
          RT_STRING0x2728d040x3e94dataCzechCzech Republic0.26897627965043697
          RT_STRING0x272cb980x4004dataDanishDenmark0.23822309006590187
          RT_STRING0x2730b9c0x4950dataGermanGermany0.2348678601875533
          RT_STRING0x27354ec0x4c220421 Alliant compact executable not strippedGreekGreece0.24371472550025655
          RT_STRING0x273a1100x3a08dataEnglishUnited States0.23673936456650513
          RT_STRING0x273db180x3d72dataFinnishFinland0.24342021614748888
          RT_STRING0x274188c0x4822PDP-11 old overlayFrenchFrance0.2312899382649193
          RT_STRING0x27460b00x2eeedataHebrewIsrael0.2714333277842517
          RT_STRING0x2748fa00x446ePDP-11 old overlayHungarianHungary0.251398561479621
          RT_STRING0x274d4100x4ee8dataItalianItaly0.21455445544554455
          RT_STRING0x27522f80x22fedataJapaneseJapan0.36626479124804645
          RT_STRING0x27545f80x21e8dataKoreanNorth Korea0.3601382488479263
          RT_STRING0x27545f80x21e8dataKoreanSouth Korea0.3601382488479263
          RT_STRING0x27567e00x477edataDutchNetherlands0.22341820566058354
          RT_STRING0x275af600x3edcdataNorwegianNorway0.2298036291324882
          RT_STRING0x275ee3c0x48e6dataPolishPoland0.23550530489765298
          RT_STRING0x27637240x40b6dataPortugueseBrazil0.23856090788361706
          RT_STRING0x27677dc0x4a96dataRussianRussia0.23923745679270975
          RT_STRING0x276c2740x3ef0dataSwedishSweden0.23659384309831183
          RT_STRING0x27701640x3ee0dataTurkishTurkey0.24204771371769385
          RT_STRING0x27740440x16c6dataChineseChina0.49845626072041166
          RT_STRING0x277570c0x4568PDP-11 executable not strippedPortuguesePortugal0.23007654209815398
          RT_STRING0x2779c740x485aPDP-11 separate I&D executable not stripped0.22826908541194255
          RT_STRING0x277e4d00x5adataArabicSaudi Arabia0.6777777777777778
          RT_STRING0x277e52c0x44dataChineseTaiwan0.5
          RT_STRING0x277e5700x5cdataCzechCzech Republic0.7391304347826086
          RT_STRING0x277e5cc0x5cdataDanishDenmark0.6847826086956522
          RT_STRING0x277e6280x44dataGermanGermany0.6911764705882353
          RT_STRING0x277e66c0x52dataGreekGreece0.6829268292682927
          RT_STRING0x277e6c00x50dataEnglishUnited States0.725
          RT_STRING0x277e7100x80dataFinnishFinland0.5859375
          RT_STRING0x277e7900x5cdataFrenchFrance0.6956521739130435
          RT_STRING0x277e7ec0x54dataHebrewIsrael0.75
          RT_STRING0x277e8400x6cdataHungarianHungary0.6574074074074074
          RT_STRING0x277e8ac0x48dataItalianItaly0.7222222222222222
          RT_STRING0x277e8f40x44dataJapaneseJapan0.5
          RT_STRING0x277e9380x38dataKoreanNorth Korea0.5892857142857143
          RT_STRING0x277e9380x38dataKoreanSouth Korea0.5892857142857143
          RT_STRING0x277e9700x44dataDutchNetherlands0.7058823529411765
          RT_STRING0x277e9b40x5adataNorwegianNorway0.6888888888888889
          RT_STRING0x277ea100x38dataPolishPoland0.5357142857142857
          RT_STRING0x277ea480x2cdataPortugueseBrazil0.6363636363636364
          RT_STRING0x277ea740x5cdataRussianRussia0.7282608695652174
          RT_STRING0x277ead00x4edataSwedishSweden0.6923076923076923
          RT_STRING0x277eb200x50dataTurkishTurkey0.65
          RT_STRING0x277eb700x38dataChineseChina0.5714285714285714
          RT_STRING0x277eba80x56dataPortuguesePortugal0.7325581395348837
          RT_STRING0x277ec000x4adata0.7162162162162162
          RT_STRING0x277ec4c0x450dataArabicSaudi Arabia0.41938405797101447
          RT_STRING0x277f09c0x1b8dataChineseTaiwan0.7886363636363637
          RT_STRING0x277f2540x3f8dataCzechCzech Republic0.45866141732283466
          RT_STRING0x277f64c0x410dataDanishDenmark0.4269230769230769
          RT_STRING0x277fa5c0x460dataGermanGermany0.43214285714285716
          RT_STRING0x277febc0x4b6dataGreekGreece0.43449419568822556
          RT_STRING0x27803740x3d8dataEnglishUnited States0.42073170731707316
          RT_STRING0x278074c0x45adataFinnishFinland0.4120287253141831
          RT_STRING0x2780ba80x4fcdataFrenchFrance0.3981191222570533
          RT_STRING0x27810a40x358dataHebrewIsrael0.48130841121495327
          RT_STRING0x27813fc0x484dataHungarianHungary0.435121107266436
          RT_STRING0x27818800x3d2dataItalianItaly0.43558282208588955
          RT_STRING0x2781c540x240dataJapaneseJapan0.6475694444444444
          RT_STRING0x2781e940x23edataKoreanNorth Korea0.7195121951219512
          RT_STRING0x2781e940x23edataKoreanSouth Korea0.7195121951219512
          RT_STRING0x27820d40x4badataDutchNetherlands0.37107438016528926
          RT_STRING0x27825900x40edataNorwegianNorway0.42485549132947975
          RT_STRING0x27829a00x452dataPolishPoland0.4168173598553345
          RT_STRING0x2782df40x40adataPortugueseBrazil0.425531914893617
          RT_STRING0x27832000x470dataRussianRussia0.44014084507042256
          RT_STRING0x27836700x3acdataSwedishSweden0.4297872340425532
          RT_STRING0x2783a1c0x476dataTurkishTurkey0.4264448336252189
          RT_STRING0x2783e940x19cdataChineseChina0.7936893203883495
          RT_STRING0x27840300x41edataPortuguesePortugal0.41840607210626185
          RT_STRING0x27844500x45cdata0.3951612903225806
          RT_STRING0x27848ac0x364dataArabicSaudi Arabia0.3675115207373272
          RT_STRING0x2784c100x150dataChineseTaiwan0.6607142857142857
          RT_STRING0x2784d600x38edataCzechCzech Republic0.35824175824175825
          RT_STRING0x27850f00x386dataDanishDenmark0.33813747228381374
          RT_STRING0x27854780x3b8dataGermanGermany0.32668067226890757
          RT_STRING0x27858300x3fedataGreekGreece0.3649706457925636
          RT_STRING0x2785c300x348dataEnglishUnited States0.3261904761904762
          RT_STRING0x2785f780x384dataFinnishFinland0.31666666666666665
          RT_STRING0x27862fc0x404dataFrenchFrance0.31712062256809337
          RT_STRING0x27867000x288AmigaOS bitmap font "\325\005\324\005\352\005\324\005,", fc_YSize 4294955013, 54789 elementsHebrewIsrael0.42746913580246915
          RT_STRING0x27869880x3c0dataHungarianHungary0.3572916666666667
          RT_STRING0x2786d480x36adataItalianItaly0.34553775743707094
          RT_STRING0x27870b40x206dataJapaneseJapan0.5347490347490348
          RT_STRING0x27872bc0x192dataKoreanNorth Korea0.6766169154228856
          RT_STRING0x27872bc0x192dataKoreanSouth Korea0.6766169154228856
          RT_STRING0x27874500x3d8dataDutchNetherlands0.29776422764227645
          RT_STRING0x27878280x348dataNorwegianNorway0.3380952380952381
          RT_STRING0x2787b700x3f2dataPolishPoland0.33564356435643566
          RT_STRING0x2787f640x3b8dataPortugueseBrazil0.3224789915966387
          RT_STRING0x278831c0x3bedataRussianRussia0.33820459290187893
          RT_STRING0x27886dc0x326dataSwedishSweden0.3610421836228288
          RT_STRING0x2788a040x3aedataTurkishTurkey0.3333333333333333
          RT_STRING0x2788db40x146dataChineseChina0.696319018404908
          RT_STRING0x2788efc0x38cdataPortuguesePortugal0.33480176211453744
          RT_STRING0x27892880x3f0data0.3115079365079365
          RT_STRING0x27896780xd0dataArabicSaudi Arabia0.4855769230769231
          RT_STRING0x27897480x56dataChineseTaiwan0.6976744186046512
          RT_STRING0x27897a00xdedataCzechCzech Republic0.6036036036036037
          RT_STRING0x27898800xe0dataDanishDenmark0.5357142857142857
          RT_STRING0x27899600xfedataGermanGermany0.5118110236220472
          RT_STRING0x2789a600x112dataGreekGreece0.5036496350364964
          RT_STRING0x2789b740xe6dataEnglishUnited States0.46956521739130436
          RT_STRING0x2789c5c0xccdataFinnishFinland0.5392156862745098
          RT_STRING0x2789d280x120dataFrenchFrance0.4097222222222222
          RT_STRING0x2789e480xbedataHebrewIsrael0.5842105263157895
          RT_STRING0x2789f080xf4dataHungarianHungary0.5081967213114754
          RT_STRING0x2789ffc0x13adataItalianItaly0.4394904458598726
          RT_STRING0x278a1380x8cdataJapaneseJapan0.6928571428571428
          RT_STRING0x278a1c40x82dataKoreanNorth Korea0.6384615384615384
          RT_STRING0x278a1c40x82dataKoreanSouth Korea0.6384615384615384
          RT_STRING0x278a2480xfedataDutchNetherlands0.484251968503937
          RT_STRING0x278a3480xe8dataNorwegianNorway0.49137931034482757
          RT_STRING0x278a4300x134dataPolishPoland0.4837662337662338
          RT_STRING0x278a5640x116dataPortugueseBrazil0.49280575539568344
          RT_STRING0x278a67c0xf2dataRussianRussia0.5661157024793388
          RT_STRING0x278a7700xb4dataSwedishSweden0.5888888888888889
          RT_STRING0x278a8240x102dataTurkishTurkey0.49224806201550386
          RT_STRING0x278a9280x5adataChineseChina0.7
          RT_STRING0x278a9840x128dataPortuguesePortugal0.4358108108108108
          RT_STRING0x278aaac0x128data0.40878378378378377
          RT_STRING0x278abd40x124dataArabicSaudi Arabia0.565068493150685
          RT_STRING0x278acf80x82dataChineseTaiwan0.7769230769230769
          RT_STRING0x278ad7c0x10edataCzechCzech Republic0.5703703703703704
          RT_STRING0x278ae8c0x108dataDanishDenmark0.49242424242424243
          RT_STRING0x278af940xe6dataGermanGermany0.5652173913043478
          RT_STRING0x278b07c0x168dataGreekGreece0.525
          RT_STRING0x278b1e40x134dataEnglishUnited States0.4902597402597403
          RT_STRING0x278b3180x142dataFinnishFinland0.515527950310559
          RT_STRING0x278b45c0x178dataFrenchFrance0.449468085106383
          RT_STRING0x278b5d40x114dataHebrewIsrael0.5833333333333334
          RT_STRING0x278b6e80x11adataHungarianHungary0.5531914893617021
          RT_STRING0x278b8040x10cdataItalianItaly0.5111940298507462
          RT_STRING0x278b9100xc6dataJapaneseJapan0.7373737373737373
          RT_STRING0x278b9d80xaadataKoreanNorth Korea0.7529411764705882
          RT_STRING0x278b9d80xaadataKoreanSouth Korea0.7529411764705882
          RT_STRING0x278ba840x172dataDutchNetherlands0.44324324324324327
          RT_STRING0x278bbf80x150dataNorwegianNorway0.46726190476190477
          RT_STRING0x278bd480x188dataPolishPoland0.4489795918367347
          RT_STRING0x278bed00x14cdataPortugueseBrazil0.4819277108433735
          RT_STRING0x278c01c0x19edataRussianRussia0.5024154589371981
          RT_STRING0x278c1bc0x168dataSwedishSweden0.4777777777777778
          RT_STRING0x278c3240x142dataTurkishTurkey0.531055900621118
          RT_STRING0x278c4680x80dataChineseChina0.765625
          RT_STRING0x278c4e80x152dataPortuguesePortugal0.47928994082840237
          RT_STRING0x278c63c0x162data0.423728813559322
          RT_STRING0x278c7a00x32dataArabicSaudi Arabia0.68
          RT_STRING0x278c7d40x28dataChineseTaiwan0.6
          RT_STRING0x278c7fc0x40dataCzechCzech Republic0.6875
          RT_STRING0x278c83c0x40dataDanishDenmark0.640625
          RT_STRING0x278c87c0x3edataGermanGermany0.6774193548387096
          RT_STRING0x278c8bc0x3adataGreekGreece0.7241379310344828
          RT_STRING0x278c8f80x32dataEnglishUnited States0.66
          RT_STRING0x278c92c0x3edataFinnishFinland0.6290322580645161
          RT_STRING0x278c96c0x3cdataFrenchFrance0.65
          RT_STRING0x278c9a80x32dataHebrewIsrael0.66
          RT_STRING0x278c9dc0x3cdataHungarianHungary0.65
          RT_STRING0x278ca180x3edataItalianItaly0.6290322580645161
          RT_STRING0x278ca580x2edataJapaneseJapan0.6739130434782609
          RT_STRING0x278ca880x2adataKoreanNorth Korea0.6428571428571429
          RT_STRING0x278ca880x2adataKoreanSouth Korea0.6428571428571429
          RT_STRING0x278cab40x30dataDutchNetherlands0.6458333333333334
          RT_STRING0x278cae40x30dataNorwegianNorway0.625
          RT_STRING0x278cb140x3cdataPolishPoland0.6333333333333333
          RT_STRING0x278cb500x3adataPortugueseBrazil0.6551724137931034
          RT_STRING0x278cb8c0x38dataRussianRussia0.6607142857142857
          RT_STRING0x278cbc40x2cdataSwedishSweden0.6136363636363636
          RT_STRING0x278cbf00x36dataTurkishTurkey0.6111111111111112
          RT_STRING0x278cc280x28dataChineseChina0.6
          RT_STRING0x278cc500x3edataPortuguesePortugal0.6612903225806451
          RT_STRING0x278cc900x40data0.640625
          RT_STRING0x278ccd00x7aMatlab v4 mat-file (little endian) A\006-\0065\006 , numeric, rows 0, columns 0ArabicSaudi Arabia0.6557377049180327
          RT_STRING0x278cd4c0x40Matlab v4 mat-file (little endian) ck(W\203c\317c\250`\204v\373\226f\201\010, numeric, rows 0, columns 0ChineseTaiwan0.6875
          RT_STRING0x278cd8c0x80Matlab v4 mat-file (little endian) P, numeric, rows 0, columns 0CzechCzech Republic0.6015625
          RT_STRING0x278ce0c0x82Matlab v4 mat-file (little endian) S, numeric, rows 0, columns 0DanishDenmark0.676923076923077
          RT_STRING0x278ce900x9eMatlab v4 mat-file (little endian) C, numeric, rows 0, columns 0GermanGermany0.6139240506329114
          RT_STRING0x278cf300x92Matlab v4 mat-file (little endian) \223\003\257\003\275\003\265\003\304\003\261\003\271\003 , numeric, rows 0, columns 0GreekGreece0.6575342465753424
          RT_STRING0x278cfc40x76Matlab v4 mat-file (little endian) S, numeric, rows 0, columns 0EnglishUnited States0.6694915254237288
          RT_STRING0x278d03c0x8aMatlab v4 mat-file (little endian) T, numeric, rows 0, columns 0FinnishFinland0.5942028985507246
          RT_STRING0x278d0c80x88Matlab v4 mat-file (little endian) A, numeric, rows 0, columns 0FrenchFrance0.5808823529411765
          RT_STRING0x278d1500x68Matlab v4 mat-file (little endian) \341\005\325\005\350\005\347\005 , numeric, rows 0, columns 0HebrewIsrael0.75
          RT_STRING0x278d1b80x8aMatlab v4 mat-file (little endian) K, numeric, rows 0, columns 0HungarianHungary0.6666666666666666
          RT_STRING0x278d2440x7aMatlab v4 mat-file (little endian) A, numeric, rows 0, columns 0ItalianItaly0.5901639344262295
          RT_STRING0x278d2c00x56Matlab v4 mat-file (little endian) \2630\3630\3240\3450\3740\2770\3740n0\2710\2550\3430\3630-N\016, numeric, rows 0, columns 0JapaneseJapan0.7441860465116279
          RT_STRING0x278d3180x44Matlab v4 mat-file (little endian) \364\316\350\3240\321 , numeric, rows 0, columns 0KoreanNorth Korea0.6911764705882353
          RT_STRING0x278d3180x44Matlab v4 mat-file (little endian) \364\316\350\3240\321 , numeric, rows 0, columns 0KoreanSouth Korea0.6911764705882353
          RT_STRING0x278d35c0x84Matlab v4 mat-file (little endian) C, numeric, rows 0, columns 0DutchNetherlands0.6742424242424242
          RT_STRING0x278d3e00x74Matlab v4 mat-file (little endian) S, numeric, rows 0, columns 0NorwegianNorway0.6724137931034483
          RT_STRING0x278d4540x76Matlab v4 mat-file (little endian) S, numeric, rows 0, columns 0PolishPoland0.5677966101694916
          RT_STRING0x278d4cc0x8cMatlab v4 mat-file (little endian) E, numeric, rows 0, columns 0PortugueseBrazil0.6642857142857143
          RT_STRING0x278d5580x94dataRussianRussia0.5135135135135135
          RT_STRING0x278d5ec0x74Matlab v4 mat-file (little endian) D, numeric, rows 0, columns 0SwedishSweden0.6810344827586207
          RT_STRING0x278d6600x74Matlab v4 mat-file (little endian) B, numeric, rows 0, columns 0TurkishTurkey0.6206896551724138
          RT_STRING0x278d6d40x42Matlab v4 mat-file (little endian) ck(Wkb\317c\250`\204v\241\213\227{:g\010, numeric, rows 0, columns 0ChineseChina0.7121212121212122
          RT_STRING0x278d7180x82Matlab v4 mat-file (little endian) A, numeric, rows 0, columns 0PortuguesePortugal0.6230769230769231
          RT_STRING0x278d79c0x7aMatlab v4 mat-file (little endian) A, numeric, rows 0, columns 00.5901639344262295
          RT_STRING0x278d8180x2c4dataArabicSaudi Arabia0.3968926553672316
          RT_STRING0x278dadc0x162dataChineseTaiwan0.6412429378531074
          RT_STRING0x278dc400x2eadataCzechCzech Republic0.3967828418230563
          RT_STRING0x278df2c0x37edataDanishDenmark0.348993288590604
          RT_STRING0x278e2ac0x3d8dataGermanGermany0.3648373983739837
          RT_STRING0x278e6840x3f0dataGreekGreece0.3551587301587302
          RT_STRING0x278ea740x392dataEnglishUnited States0.32166301969365424
          RT_STRING0x278ee080x32cdataFinnishFinland0.3768472906403941
          RT_STRING0x278f1340x3d0dataFrenchFrance0.32479508196721313
          RT_STRING0x278f5040x276dataHebrewIsrael0.40634920634920635
          RT_STRING0x278f77c0x30adataHungarianHungary0.3856041131105398
          RT_STRING0x278fa880x320dataItalianItaly0.39625
          RT_STRING0x278fda80x1e2dataJapaneseJapan0.5062240663900415
          RT_STRING0x278ff8c0x1a4dataKoreanNorth Korea0.6214285714285714
          RT_STRING0x278ff8c0x1a4dataKoreanSouth Korea0.6214285714285714
          RT_STRING0x27901300x39adataDutchNetherlands0.3524945770065076
          RT_STRING0x27904cc0x32adataNorwegianNorway0.3691358024691358
          RT_STRING0x27907f80x3a0dataPolishPoland0.3642241379310345
          RT_STRING0x2790b980x3cedataPortugueseBrazil0.3182751540041068
          RT_STRING0x2790f680x36edataRussianRussia0.36104783599088835
          RT_STRING0x27912d80x384dataSwedishSweden0.37444444444444447
          RT_STRING0x279165c0x340dataTurkishTurkey0.3737980769230769
          RT_STRING0x279199c0x15edataChineseChina0.5971428571428572
          RT_STRING0x2791afc0x3b8dataPortuguesePortugal0.328781512605042
          RT_STRING0x2791eb40x3f8data0.3228346456692913
          RT_STRING0x27922ac0x4adataArabicSaudi Arabia0.6891891891891891
          RT_STRING0x27922f80x30dataChineseTaiwan0.6666666666666666
          RT_STRING0x27923280x56dataCzechCzech Republic0.686046511627907
          RT_STRING0x27923800x5cdataDanishDenmark0.6739130434782609
          RT_STRING0x27923dc0x6edataGermanGermany0.7181818181818181
          RT_STRING0x279244c0x50dataGreekGreece0.75
          RT_STRING0x279249c0x4adataEnglishUnited States0.6486486486486487
          RT_STRING0x27924e80x5edataFinnishFinland0.648936170212766
          RT_STRING0x27925480x58dataFrenchFrance0.6704545454545454
          RT_STRING0x27925a00x4edataHebrewIsrael0.7307692307692307
          RT_STRING0x27925f00x58dataHungarianHungary0.6590909090909091
          RT_STRING0x27926480x58dataItalianItaly0.6363636363636364
          RT_STRING0x27926a00x3edataJapaneseJapan0.7419354838709677
          RT_STRING0x27926e00x30dataKoreanNorth Korea0.6666666666666666
          RT_STRING0x27926e00x30dataKoreanSouth Korea0.6666666666666666
          RT_STRING0x27927100x54dataDutchNetherlands0.6428571428571429
          RT_STRING0x27927640x52dataNorwegianNorway0.6829268292682927
          RT_STRING0x27927b80x52dataPolishPoland0.5975609756097561
          RT_STRING0x279280c0x60dataPortugueseBrazil0.65625
          RT_STRING0x279286c0x5adataRussianRussia0.6666666666666666
          RT_STRING0x27928c80x62dataSwedishSweden0.673469387755102
          RT_STRING0x279292c0x46dataTurkishTurkey0.6285714285714286
          RT_STRING0x27929740x30dataChineseChina0.6666666666666666
          RT_STRING0x27929a40x64dataPortuguesePortugal0.65
          RT_STRING0x2792a080x64data0.65
          RT_STRING0x2792a6c0xd2dataArabicSaudi Arabia0.4857142857142857
          RT_STRING0x2792b400x4edataChineseTaiwan0.6153846153846154
          RT_STRING0x2792b900xdadataCzechCzech Republic0.4908256880733945
          RT_STRING0x2792c6c0xfadataDanishDenmark0.396
          RT_STRING0x2792d680xe6dataGermanGermany0.44782608695652176
          RT_STRING0x2792e500xd6dataGreekGreece0.5373831775700935
          RT_STRING0x2792f280xd0adataEnglishUnited States0.4682444577591372
          RT_STRING0x2793c340xc8dataFinnishFinland0.495
          RT_STRING0x2793cfc0x110dataFrenchFrance0.39705882352941174
          RT_STRING0x2793e0c0xa0dataHebrewIsrael0.5125
          RT_STRING0x2793eac0xf4dataHungarianHungary0.5122950819672131
          RT_STRING0x2793fa00xcedataItalianItaly0.45145631067961167
          RT_STRING0x27940700x9cdataJapaneseJapan0.5641025641025641
          RT_STRING0x279410c0x72dataKoreanNorth Korea0.7105263157894737
          RT_STRING0x279410c0x72dataKoreanSouth Korea0.7105263157894737
          RT_STRING0x27941800x106dataDutchNetherlands0.4083969465648855
          RT_STRING0x27942880xcadataNorwegianNorway0.4603960396039604
          RT_STRING0x27943540xe6dataPolishPoland0.4391304347826087
          RT_STRING0x279443c0xf6dataPortugueseBrazil0.4065040650406504
          RT_STRING0x27945340xd8dataRussianRussia0.46296296296296297
          RT_STRING0x279460c0xc8dataSwedishSweden0.455
          RT_STRING0x27946d40xc0dataTurkishTurkey0.4739583333333333
          RT_STRING0x27947940x54dataChineseChina0.6190476190476191
          RT_STRING0x27947e80x114dataPortuguesePortugal0.4166666666666667
          RT_STRING0x27948fc0xf6data0.4065040650406504
          RT_STRING0x27949f40xdd2dataEnglishUnited States0.38157150932730355
          RT_STRING0x27957c80xc0cdataEnglishUnited States0.5239948119325551
          RT_STRING0x27963d40xd3cTarga image data - Color 1072 x 1093 x 32 +1083 +1075 "\257\0045\0044\004 "EnglishUnited States0.4542502951593861
          RT_STRING0x27971100xbacdataEnglishUnited States0.499665327978581
          RT_STRING0x2797cbc0x396dataEnglishUnited States0.6285403050108932
          RT_STRING0x27980540x50dataArabicSaudi Arabia0.6625
          RT_STRING0x27980a40x30dataChineseTaiwan0.6666666666666666
          RT_STRING0x27980d40x60dataCzechCzech Republic0.75
          RT_STRING0x27981340x6cdataDanishDenmark0.6111111111111112
          RT_STRING0x27981a00x4edataGermanGermany0.6538461538461539
          RT_STRING0x27981f00x5adataGreekGreece0.7333333333333333
          RT_STRING0x279824c0x2dcdataEnglishUnited States0.4959016393442623
          RT_STRING0x27985280x6edataFinnishFinland0.6545454545454545
          RT_STRING0x27985980x52dataFrenchFrance0.6463414634146342
          RT_STRING0x27985ec0x42dataHebrewIsrael0.7424242424242424
          RT_STRING0x27986300x5adataHungarianHungary0.7111111111111111
          RT_STRING0x279868c0x4adataItalianItaly0.7027027027027027
          RT_STRING0x27986d80x4adataJapaneseJapan0.7702702702702703
          RT_STRING0x27987240x3edataKoreanNorth Korea0.7741935483870968
          RT_STRING0x27987240x3edataKoreanSouth Korea0.7741935483870968
          RT_STRING0x27987640x60dataDutchNetherlands0.6770833333333334
          RT_STRING0x27987c40x46dataNorwegianNorway0.6428571428571429
          RT_STRING0x279880c0x4cdataPolishPoland0.6973684210526315
          RT_STRING0x27988580x4adataPortugueseBrazil0.6351351351351351
          RT_STRING0x27988a40x5cdataRussianRussia0.7391304347826086
          RT_STRING0x27989000x3adataSwedishSweden0.6551724137931034
          RT_STRING0x279893c0x56dataTurkishTurkey0.6976744186046512
          RT_STRING0x27989940x3cdataChineseChina0.75
          RT_STRING0x27989d00x4adataPortuguesePortugal0.6486486486486487
          RT_STRING0x2798a1c0x42data0.6515151515151515
          RT_STRING0x2798a600x282dataEnglishUnited States0.7819314641744548
          RT_STRING0x2798ce40x2bedataEnglishUnited States0.603988603988604
          RT_STRING0x2798fa40x2cedataEnglishUnited States0.6782729805013927
          RT_STRING0x27992740x1c6dataEnglishUnited States0.7026431718061674
          RT_STRING0x279943c0x1d6dataEnglishUnited States0.5808510638297872
          RT_STRING0x27996140x36Matlab v4 mat-file (little endian) F\006*\006'\006&\006,\006 , numeric, rows 0, columns 0ArabicSaudi Arabia0.6851851851851852
          RT_STRING0x279964c0x28Matlab v4 mat-file (little endian) \203c\317cP}\234g, numeric, rows 0, columns 0ChineseTaiwan0.6
          RT_STRING0x27996740x4aMatlab v4 mat-file (little endian) V, numeric, rows 0, columns 0CzechCzech Republic0.6756756756756757
          RT_STRING0x27996c00x3cMatlab v4 mat-file (little endian) S, numeric, rows 0, columns 0DanishDenmark0.6333333333333333
          RT_STRING0x27996fc0x4cMatlab v4 mat-file (little endian) \334, numeric, rows 0, columns 0GermanGermany0.6447368421052632
          RT_STRING0x27997480x48Matlab v4 mat-file (little endian) \221\003\300\003\277\003\304\003\265\003\273\003\255\003\303\003\274\003\261\003\304\003\261\003 , numeric, rows 0, columns 0GreekGreece0.7638888888888888
          RT_STRING0x27997900x1f0dataEnglishUnited States0.7701612903225806
          RT_STRING0x27999800x44Matlab v4 mat-file (little endian) T, numeric, rows 0, columns 0FinnishFinland0.6470588235294118
          RT_STRING0x27999c40x4cMatlab v4 mat-file (little endian) R, numeric, rows 0, columns 0FrenchFrance0.6842105263157895
          RT_STRING0x2799a100x3aMatlab v4 mat-file (little endian) \352\005\325\005\346\005\320\005\325\005\352\005 , numeric, rows 0, columns 0HebrewIsrael0.7068965517241379
          RT_STRING0x2799a4c0x46Matlab v4 mat-file (little endian) K, numeric, rows 0, columns 0HungarianHungary0.6
          RT_STRING0x2799a940x42Matlab v4 mat-file (little endian) R, numeric, rows 0, columns 0ItalianItaly0.6212121212121212
          RT_STRING0x2799ad80x2cMatlab v4 mat-file (little endian) \2710\2550\3430\3630P}\234g, numeric, rows 0, columns 0JapaneseJapan0.6363636363636364
          RT_STRING0x2799b040x2aMatlab v4 mat-file (little endian) \200\254\254\300 , numeric, rows 0, columns 0KoreanNorth Korea0.6190476190476191
          RT_STRING0x2799b040x2aMatlab v4 mat-file (little endian) \200\254\254\300 , numeric, rows 0, columns 0KoreanSouth Korea0.6190476190476191
          RT_STRING0x2799b300x56Matlab v4 mat-file (little endian) R, numeric, rows 0, columns 0DutchNetherlands0.6744186046511628
          RT_STRING0x2799b880x3cMatlab v4 mat-file (little endian) S, numeric, rows 0, columns 0NorwegianNorway0.6333333333333333
          RT_STRING0x2799bc40x42Matlab v4 mat-file (little endian) W, numeric, rows 0, columns 0PolishPoland0.6060606060606061
          RT_STRING0x2799c080x46Matlab v4 mat-file (little endian) R, numeric, rows 0, columns 0PortugueseBrazil0.6428571428571429
          RT_STRING0x2799c500x46Matlab v4 mat-file (little endian) \0045\0047\004C\004;\004L\004B\0040\004B\004K\004 , numeric, rows 0, columns 0RussianRussia0.7285714285714285
          RT_STRING0x2799c980x36Matlab v4 mat-file (little endian) S, numeric, rows 0, columns 0SwedishSweden0.6666666666666666
          RT_STRING0x2799cd00x40Matlab v4 mat-file (little endian) T, numeric, rows 0, columns 0TurkishTurkey0.640625
          RT_STRING0x2799d100x28Matlab v4 mat-file (little endian) kb\317c\323~\234g, numeric, rows 0, columns 0ChineseChina0.6
          RT_STRING0x2799d380x4aMatlab v4 mat-file (little endian) R, numeric, rows 0, columns 0PortuguesePortugal0.6756756756756757
          RT_STRING0x2799d840x4eMatlab v4 mat-file (little endian) R, numeric, rows 0, columns 00.6538461538461539
          RT_STRING0x2799dd40xa9edataArabicSaudi Arabia0.14164827078734363
          RT_STRING0x279a8740x54edataChineseTaiwan0.21502209131075112
          RT_STRING0x279adc40xb66dataCzechCzech Republic0.135709389993146
          RT_STRING0x279b92c0xd90dataDanishDenmark0.12269585253456221
          RT_STRING0x279c6bc0xd9adataGermanGermany0.12492820218265364
          RT_STRING0x279d4580xf20dataGreekGreece0.12164256198347108
          RT_STRING0x279e3780x1d8dataEnglishUnited States0.6334745762711864
          RT_STRING0x279e5500xb5adataFinnishFinland0.12216104611149346
          RT_STRING0x279f0ac0xd6edataFrenchFrance0.12361838278068644
          RT_STRING0x279fe1c0x9dedataHebrewIsrael0.14489311163895488
          RT_STRING0x27a07fc0xbdcdataHungarianHungary0.13142292490118576
          RT_STRING0x27a13d80xbc2dataItalianItaly0.13156146179401992
          RT_STRING0x27a1f9c0x738dataJapaneseJapan0.19101731601731603
          RT_STRING0x27a26d40x6fcdataKoreanNorth Korea0.20246085011185683
          RT_STRING0x27a26d40x6fcdataKoreanSouth Korea0.20246085011185683
          RT_STRING0x27a2dd00xc60dataDutchNetherlands0.1268939393939394
          RT_STRING0x27a3a300xbc6dataNorwegianNorway0.12508294625082947
          RT_STRING0x27a45f80xcbedataPolishPoland0.13059472716125076
          RT_STRING0x27a52b80xbfadataPortugueseBrazil0.13209393346379647
          RT_STRING0x27a5eb40xcc8dataRussianRussia0.1311124694376528
          RT_STRING0x27a6b7c0xb9cdataSwedishSweden0.12516823687752354
          RT_STRING0x27a77180xcacdataTurkishTurkey0.11991368680641183
          RT_STRING0x27a83c40x520dataChineseChina0.2149390243902439
          RT_STRING0x27a88e40xc50dataPortuguesePortugal0.12277918781725888
          RT_STRING0x27a95340xbf8data0.12859007832898173
          RT_STRING0x27aa12c0x1cadataEnglishUnited States0.7183406113537117
          RT_STRING0x27aa2f80x21adataEnglishUnited States0.6672862453531598
          RT_STRING0x27aa5140x28edataEnglishUnited States0.43577981651376146
          RT_STRING0x27aa7a40x27cdataEnglishUnited States0.7468553459119497
          RT_STRING0x27aaa200x2aedataEnglishUnited States0.6749271137026239
          RT_STRING0x27aacd00x280dataEnglishUnited States0.6296875
          RT_STRING0x27aaf500x152dataEnglishUnited States0.7958579881656804
          RT_STRING0x27ab0a40xccdataEnglishUnited States0.7401960784313726
          RT_STRING0x27ab1700xd2dataEnglishUnited States0.8904761904761904
          RT_STRING0x27ab2440xeadataEnglishUnited States0.8974358974358975
          RT_STRING0x27ab3300xe8dataEnglishUnited States0.7931034482758621
          RT_STRING0x27ab4180x372dataArabicSaudi Arabia0.34467120181405897
          RT_STRING0x27ab78c0x136dataChineseTaiwan0.6548387096774193
          RT_STRING0x27ab8c40x3a6dataCzechCzech Republic0.3222698072805139
          RT_STRING0x27abc6c0x4a6dataDanishDenmark0.3042016806722689
          RT_STRING0x27ac1140x4dedataGermanGermany0.3097913322632424
          RT_STRING0x27ac5f40x4badataGreekGreece0.3074380165289256
          RT_STRING0x27acab00x124dataEnglishUnited States0.8561643835616438
          RT_STRING0x27acbd40x3b4dataFinnishFinland0.310126582278481
          RT_STRING0x27acf880x488dataFrenchFrance0.30431034482758623
          RT_STRING0x27ad4100x2d4dataHebrewIsrael0.3674033149171271
          RT_STRING0x27ad6e40x3f0dataHungarianHungary0.32837301587301587
          RT_STRING0x27adad40x402dataItalianItaly0.3060428849902534
          RT_STRING0x27aded80x216dataJapaneseJapan0.49250936329588013
          RT_STRING0x27ae0f00x1dcdataKoreanNorth Korea0.5777310924369747
          RT_STRING0x27ae0f00x1dcdataKoreanSouth Korea0.5777310924369747
          RT_STRING0x27ae2cc0x4cadataDutchNetherlands0.2814029363784666
          RT_STRING0x27ae7980x3a2dataNorwegianNorway0.3053763440860215
          RT_STRING0x27aeb3c0x458dataPolishPoland0.32823741007194246
          RT_STRING0x27aef940x498dataPortugueseBrazil0.2857142857142857
          RT_STRING0x27af42c0x468dataRussianRussia0.31117021276595747
          RT_STRING0x27af8940x3fadataSwedishSweden0.3055009823182711
          RT_STRING0x27afc900x412dataTurkishTurkey0.2927063339731286
          RT_STRING0x27b00a40x11cdataChineseChina0.6408450704225352
          RT_STRING0x27b01c00x414dataPortuguesePortugal0.2883141762452107
          RT_STRING0x27b05d40x4b6data0.2752902155887231
          RT_STRING0x27b0a8c0x20cTarga image data - RLE 1083 x 1103 x 32 +1077 +1075 "A\0045\004."EnglishUnited States0.601145038167939
          RT_STRING0x27b0c980x21cdataEnglishUnited States0.6611111111111111
          RT_STRING0x27b0eb40x24cdataEnglishUnited States0.7261904761904762
          RT_STRING0x27b11000x1d2dataEnglishUnited States0.6609442060085837
          RT_STRING0x27b12d40x200dataEnglishUnited States0.75
          RT_STRING0x27b14d40x1beMatlab v4 mat-file (little endian) (\006E\006'\006 , numeric, rows 0, columns 0ArabicSaudi Arabia0.49551569506726456
          RT_STRING0x27b16940xd6dataChineseTaiwan0.8504672897196262
          RT_STRING0x27b176c0x224Matlab v4 mat-file (little endian) \341, numeric, rows 0, columns 0CzechCzech Republic0.5218978102189781
          RT_STRING0x27b19900x270Matlab v4 mat-file (little endian) \370, numeric, rows 0, columns 0DanishDenmark0.42788461538461536
          RT_STRING0x27b1c000x27cMatlab v4 mat-file (little endian) i, numeric, rows 0, columns 0GermanGermany0.4308176100628931
          RT_STRING0x27b1e7c0x27eMatlab v4 mat-file (little endian) \261\003 , numeric, rows 0, columns 0GreekGreece0.5031347962382445
          RT_STRING0x27b20fc0x2cedataEnglishUnited States0.564066852367688
          RT_STRING0x27b23cc0x20eMatlab v4 mat-file (little endian) a, numeric, rows 0, columns 0FinnishFinland0.4296577946768061
          RT_STRING0x27b25dc0x270Matlab v4 mat-file (little endian) e, numeric, rows 0, columns 0FrenchFrance0.4375
          RT_STRING0x27b284c0x1aeMatlab v4 mat-file (little endian) \331\005\352\005\333\005\337\005 , numeric, rows 0, columns 0HebrewIsrael0.5372093023255814
          RT_STRING0x27b29fc0x28eMatlab v4 mat-file (little endian) , numeric, rows 0, columns 0HungarianHungary0.47553516819571867
          RT_STRING0x27b2c8c0x244Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0ItalianItaly0.45689655172413796
          RT_STRING0x27b2ed00x140Matlab v4 mat-file (little endian) n0\3250\2410\2440\3530o0\0010\252`\017an0B0\2130\2750\3250\3100\2460\2470\2420k0\037a\323gW0f0D0\2130\357S\375\200'`L0B0\2120~0Y0\0020\3250\2410\2440\3530k0d0D0f0\037u\020bU0\2140_0, numeric, rows 0, columns 0JapaneseJapan0.7875
          RT_STRING0x27b30100x136Matlab v4 mat-file (little endian) L\307 , numeric, rows 0, columns 0KoreanNorth Korea0.7870967741935484
          RT_STRING0x27b30100x136Matlab v4 mat-file (little endian) L\307 , numeric, rows 0, columns 0KoreanSouth Korea0.7870967741935484
          RT_STRING0x27b31480x26cMatlab v4 mat-file (little endian) e, numeric, rows 0, columns 0DutchNetherlands0.4064516129032258
          RT_STRING0x27b33b40x208Matlab v4 mat-file (little endian) \370, numeric, rows 0, columns 0NorwegianNorway0.4519230769230769
          RT_STRING0x27b35bc0x268Matlab v4 mat-file (little endian) o, numeric, rows 0, columns 0PolishPoland0.461038961038961
          RT_STRING0x27b38240x260Matlab v4 mat-file (little endian) s, numeric, rows 0, columns 0PortugueseBrazil0.43585526315789475
          RT_STRING0x27b3a840x22eMatlab v4 mat-file (little endian) ;\0045\0044\004C\004N\004I\0048\0045\004 , numeric, rows 0, columns 0RussianRussia0.489247311827957
          RT_STRING0x27b3cb40x24eMatlab v4 mat-file (little endian) \366, numeric, rows 0, columns 0SwedishSweden0.43898305084745765
          RT_STRING0x27b3f040x23cMatlab v4 mat-file (little endian) _\001a, numeric, rows 0, columns 0TurkishTurkey0.4825174825174825
          RT_STRING0x27b41400xc2dataChineseChina0.8711340206185567
          RT_STRING0x27b42040x25aMatlab v4 mat-file (little endian) s, numeric, rows 0, columns 0PortuguesePortugal0.42857142857142855
          RT_STRING0x27b44600x254Matlab v4 mat-file (little endian) o, numeric, rows 0, columns 00.4312080536912752
          RT_STRING0x27b46b40x298dataEnglishUnited States0.6204819277108434
          RT_STRING0x27b494c0x278dataEnglishUnited States0.7848101265822784
          RT_STRING0x27b4bc40x2d2Targa image data - Color 2379 x 2337 x 32 +2344 +2354 "8\011.\011M\011*\011(\011M\011(\011 "EnglishUnited States0.6481994459833795
          RT_STRING0x27b4e980x29adataEnglishUnited States0.7087087087087087
          RT_STRING0x27b51340x488dataEnglishUnited States0.5198275862068965
          RT_STRING0x27b55bc0x11cdataArabicSaudi Arabia0.545774647887324
          RT_STRING0x27b56d80x6cdataChineseTaiwan0.8425925925925926
          RT_STRING0x27b57440x158dataCzechCzech Republic0.5494186046511628
          RT_STRING0x27b589c0x15edataDanishDenmark0.5228571428571429
          RT_STRING0x27b59fc0x18cdataGermanGermany0.5050505050505051
          RT_STRING0x27b5b880x1a4dataGreekGreece0.5333333333333333
          RT_STRING0x27b5d2c0x476dataEnglishUnited States0.4956217162872154
          RT_STRING0x27b61a40x16cdataFinnishFinland0.489010989010989
          RT_STRING0x27b63100x1b4dataFrenchFrance0.49311926605504586
          RT_STRING0x27b64c40xf6dataHebrewIsrael0.5813008130081301
          RT_STRING0x27b65bc0x18adataHungarianHungary0.5203045685279187
          RT_STRING0x27b67480x166dataItalianItaly0.5111731843575419
          RT_STRING0x27b68b00xb8dataJapaneseJapan0.7880434782608695
          RT_STRING0x27b69680xbedataKoreanNorth Korea0.8263157894736842
          RT_STRING0x27b69680xbedataKoreanSouth Korea0.8263157894736842
          RT_STRING0x27b6a280x18edataDutchNetherlands0.4623115577889447
          RT_STRING0x27b6bb80x150dataNorwegianNorway0.5178571428571429
          RT_STRING0x27b6d080x162dataPolishPoland0.5508474576271186
          RT_STRING0x27b6e6c0x170dataPortugueseBrazil0.5054347826086957
          RT_STRING0x27b6fdc0x14adataRussianRussia0.5515151515151515
          RT_STRING0x27b71280xfadataSwedishSweden0.556
          RT_STRING0x27b72240x15cdataTurkishTurkey0.5373563218390804
          RT_STRING0x27b73800x76dataChineseChina0.8813559322033898
          RT_STRING0x27b73f80x17edataPortuguesePortugal0.5026178010471204
          RT_STRING0x27b75780x154data0.5058823529411764
          RT_STRING0x27b76cc0x49cdataEnglishUnited States0.6466101694915254
          RT_STRING0x27b7b680x456dataEnglishUnited States0.5540540540540541
          RT_STRING0x27b7fc00x3f8dataEnglishUnited States0.5974409448818898
          RT_STRING0x27b83b80x460dataEnglishUnited States0.575
          RT_STRING0x27b88180x4b4dataEnglishUnited States0.46677740863787376
          RT_STRING0x27b8ccc0x478dataEnglishUnited States0.6354895104895105
          RT_STRING0x27b91440x470dataEnglishUnited States0.5598591549295775
          RT_STRING0x27b95b40x41cdataEnglishUnited States0.5807984790874525
          RT_STRING0x27b99d00x426dataEnglishUnited States0.5790960451977402
          RT_STRING0x27b9df80x488dataEnglishUnited States0.45775862068965517
          RT_STRING0x27ba2800x424dataEnglishUnited States0.6490566037735849
          RT_STRING0x27ba6a40x42cdataEnglishUnited States0.5608614232209738
          RT_STRING0x27baad00x43adataEnglishUnited States0.6090573012939002
          RT_STRING0x27baf0c0x43cdataEnglishUnited States0.6199261992619927
          RT_STRING0x27bb3480x59cdataEnglishUnited States0.435933147632312
          RT_STRING0x27bb8e40x500Targa image data - Color 2379 x 2337 x 32 +2344 +2354 "\025\011@\011 "EnglishUnited States0.6640625
          RT_STRING0x27bbde40x59cdataEnglishUnited States0.5682451253481894
          RT_STRING0x27bc3800x536dataEnglishUnited States0.5907046476761619
          RT_STRING0x27bc8b80x8e6dataEnglishUnited States0.5258999122036875
          RT_STRING0x27bd1a00xc92dataEnglishUnited States0.3334369173399627
          RT_STRING0x27bde340xbf4dataEnglishUnited States0.5320261437908497
          RT_STRING0x27bea280xc5edataEnglishUnited States0.48673404927353126
          RT_STRING0x27bf6880xcd8dataEnglishUnited States0.4382603406326034
          RT_STRING0x27c03600x92cdataEnglishUnited States0.5404599659284497
          RT_STRING0x27c0c8c0x9cedataEnglishUnited States0.3669322709163347
          RT_STRING0x27c165c0x962dataEnglishUnited States0.5104079933388843
          RT_STRING0x27c1fc00x986dataEnglishUnited States0.5332239540607056
          RT_STRING0x27c29480x9d8dataEnglishUnited States0.4765873015873016
          RT_STRING0x27c33200x8ecdataEnglishUnited States0.563922942206655
          RT_STRING0x27c3c0c0xcc6dataEnglishUnited States0.382262996941896
          RT_STRING0x27c48d40xca8dataEnglishUnited States0.4367283950617284
          RT_STRING0x27c557c0xcbedataEnglishUnited States0.5076640098099325
          RT_STRING0x27c623c0xd0cdataEnglishUnited States0.4224550898203593
          RT_STRING0x27c6f480x8a6dataEnglishUnited States0.5519421860885275
          RT_STRING0x27c77f00x256dataEnglishUnited States0.4983277591973244
          RT_STRING0x27c7a480x260dataEnglishUnited States0.5444078947368421
          RT_STRING0x27c7ca80x22edataEnglishUnited States0.6505376344086021
          RT_STRING0x27c7ed80x23adataEnglishUnited States0.5333333333333333
          RT_STRING0x27c81140x1e6dataEnglishUnited States0.6296296296296297
          RT_STRING0x27c82fc0xe0dataEnglishUnited States0.10714285714285714
          RT_STRING0x27c83dc0xe0dataEnglishUnited States0.10714285714285714
          RT_STRING0x27c84bc0xe0dataEnglishUnited States0.10714285714285714
          RT_STRING0x27c859c0xe0dataEnglishUnited States0.10714285714285714
          RT_STRING0x27c867c0xe0dataEnglishUnited States0.10714285714285714
          RT_STRING0x27c875c0x2f4AmigaOS bitmap font "f", fc_YSize 14848, 16640 elements, 2nd "$", 3rd "n"EnglishUnited States0.6362433862433863
          RT_STRING0x27c8a500x314dataEnglishUnited States0.47588832487309646
          RT_STRING0x27c8d640x2d0dataEnglishUnited States0.6777777777777778
          RT_STRING0x27c90340x2fadataEnglishUnited States0.5931758530183727
          RT_STRING0x27c93300x2fadataEnglishUnited States0.6286089238845144
          RT_STRING0x27c962c0x2eadataEnglishUnited States0.6005361930294906
          RT_STRING0x27c99180x2dedataEnglishUnited States0.44005449591280654
          RT_STRING0x27c9bf80x296dataEnglishUnited States0.676737160120846
          RT_STRING0x27c9e900x2f6dataEnglishUnited States0.5620052770448549
          RT_STRING0x27ca1880x2f4dataEnglishUnited States0.623015873015873
          RT_STRING0x27ca47c0x25adataEnglishUnited States0.6495016611295681
          RT_STRING0x27ca6d80x2badataEnglishUnited States0.4355300859598854
          RT_STRING0x27ca9940x26edataEnglishUnited States0.7138263665594855
          RT_STRING0x27cac040x29adataEnglishUnited States0.581081081081081
          RT_STRING0x27caea00x280dataEnglishUnited States0.5953125
          RT_STRING0x27cb1200x2c6dataEnglishUnited States0.647887323943662
          RT_STRING0x27cb3e80x328dataEnglishUnited States0.44925742574257427
          RT_STRING0x27cb7100x320dataEnglishUnited States0.6825
          RT_STRING0x27cba300x350dataEnglishUnited States0.6096698113207547
          RT_STRING0x27cbd800x37edataEnglishUnited States0.5391498881431768
          RT_STRING0x27cc1000x37cdataEnglishUnited States0.6390134529147982
          RT_STRING0x27cc47c0x478dataEnglishUnited States0.42395104895104896
          RT_STRING0x27cc8f40x462dataEnglishUnited States0.5811051693404634
          RT_STRING0x27ccd580x400dataEnglishUnited States0.6123046875
          RT_STRING0x27cd1580x4b0dataEnglishUnited States0.5016666666666667
          RT_STRING0x27cd6080x276dataEnglishUnited States0.6825396825396826
          RT_STRING0x27cd8800xd0dataEnglishUnited States0.7836538461538461
          RT_STRING0x27cd9500xcadataEnglishUnited States0.8613861386138614
          RT_STRING0x27cda1c0xdcdataEnglishUnited States0.9045454545454545
          RT_STRING0x27cdaf80xd8dataEnglishUnited States0.7268518518518519
          RT_STRING0x27cdbd00x306dataEnglishUnited States0.6950904392764858
          RT_STRING0x27cded80xbc4dataEnglishUnited States0.42363877822045154
          RT_STRING0x27cea9c0xba2dataEnglishUnited States0.46474143720617866
          RT_STRING0x27cf6400xac8dataEnglishUnited States0.5876811594202899
          RT_STRING0x27d01080xb36dataEnglishUnited States0.47560975609756095
          RT_STRING0x27d0c400x8d6dataEnglishUnited States0.5742705570291777
          RT_STRING0x27d15180x220AmigaOS bitmap font ",\0061\006J\006 ", fc_YSize 26880, 10758 elements, 2nd "l", 3rd "i"EnglishUnited States0.6066176470588235
          RT_STRING0x27d17380x20adataEnglishUnited States0.6264367816091954
          RT_STRING0x27d19440x232dataEnglishUnited States0.7633451957295374
          RT_STRING0x27d1b780x202dataEnglishUnited States0.6108949416342413
          RT_STRING0x27d1d7c0x1f6dataEnglishUnited States0.6852589641434262
          RT_STRING0x27d1f740x2e4dataEnglishUnited States0.6
          RT_STRING0x27d22580x32cdataEnglishUnited States0.5517241379310345
          RT_STRING0x27d25840x2b0dataEnglishUnited States0.7659883720930233
          RT_STRING0x27d28340x2e6dataEnglishUnited States0.6145552560646901
          RT_STRING0x27d2b1c0x2a8dataEnglishUnited States0.6838235294117647
          RT_STRING0x27d2dc40x256dataEnglishUnited States0.5836120401337793
          RT_STRING0x27d301c0x288dataEnglishUnited States0.4521604938271605
          RT_STRING0x27d32a40x226dataEnglishUnited States0.6854545454545454
          RT_STRING0x27d34cc0x206dataEnglishUnited States0.527027027027027
          RT_STRING0x27d36d40x26cdataEnglishUnited States0.6193548387096774
          RT_STRING0x27d39400x5f6dataEnglishUnited States0.5321100917431193
          RT_STRING0x27d3f380x820dataEnglishUnited States0.35865384615384616
          RT_STRING0x27d47580x70adataEnglishUnited States0.5832408435072142
          RT_STRING0x27d4e640x7f2dataEnglishUnited States0.47000983284169123
          RT_STRING0x27d56580x76adataEnglishUnited States0.5068493150684932
          RT_STRING0x27d5dc40x7cedataEnglishUnited States0.5125125125125125
          RT_STRING0x27d65940xa82dataEnglishUnited States0.3252788104089219
          RT_STRING0x27d70180x9cedataEnglishUnited States0.5091633466135458
          RT_STRING0x27d79e80xa2edataEnglishUnited States0.4716039907904835
          RT_STRING0x27d84180xa44dataEnglishUnited States0.4257990867579909
          RT_STRING0x27d8e5c0x464Targa image data - Color 1089 x 1103 x 32 +1083 +1072 "?\004>\004<\0048\004;\004:\0040\004."EnglishUnited States0.604982206405694
          RT_STRING0x27d92c00x212dataEnglishUnited States0.4830188679245283
          RT_STRING0x27d94d40x1d4AmigaOS bitmap font "n", fc_YSize 30725, 18688 elements, 2nd "t\005& \013", 3rdEnglishUnited States0.6645299145299145
          RT_STRING0x27d96a80x20adataEnglishUnited States0.6800766283524904
          RT_STRING0x27d98b40x210dataEnglishUnited States0.5852272727272727
          RT_STRING0x27d9ac40x3aaAmigaOS bitmap font "3\016%\0161\016\007\016\025\0164\016\024\016\025\0161\016I\016\007\016.", fc_YSize 25856, 270 elements, 2nd "C", 3rd "%\0065\006/\006'\0061\006K\006'\006 "EnglishUnited States0.5565031982942431
          RT_STRING0x27d9e700x710dataEnglishUnited States0.3407079646017699
          RT_STRING0x27da5800x79cdataEnglishUnited States0.4029774127310062
          RT_STRING0x27dad1c0x848dataEnglishUnited States0.45943396226415095
          RT_STRING0x27db5640x728dataEnglishUnited States0.36899563318777295
          RT_STRING0x27dbc8c0x5f4dataEnglishUnited States0.4678477690288714
          RT_STRING0x27dc2800x350dataEnglishUnited States0.5283018867924528
          RT_STRING0x27dc5d00x37edataEnglishUnited States0.5760626398210291
          RT_STRING0x27dc9500x320dataEnglishUnited States0.69125
          RT_STRING0x27dcc700x368dataEnglishUnited States0.5538990825688074
          RT_STRING0x27dcfd80x30cdataEnglishUnited States0.6641025641025641
          RT_STRING0x27dd2e40x80adataEnglishUnited States0.49173955296404276
          RT_STRING0x27ddaf00x7cedataEnglishUnited States0.4934934934934935
          RT_STRING0x27de2c00x64cdataEnglishUnited States0.6625310173697271
          RT_STRING0x27de90c0x79adataEnglishUnited States0.5190133607399794
          RT_STRING0x27df0a80x640dataEnglishUnited States0.595
          RT_STRING0x27df6e80x52adataEnglishUnited States0.5612708018154312
          RT_STRING0x27dfc140x5a0dataEnglishUnited States0.4888888888888889
          RT_STRING0x27e01b40x498dataEnglishUnited States0.6870748299319728
          RT_STRING0x27e064c0x546Targa image data - Color 1072 x 1078 x 32 +1083 +1075 "G\0040\0044\004A\0040\004=\0043\004\257\0049\004."EnglishUnited States0.5733333333333334
          RT_STRING0x27e0b940x4a6dataEnglishUnited States0.6226890756302521
          RT_STRING0x27e103c0x80adataEnglishUnited States0.5262390670553936
          RT_STRING0x27e18480x95edataEnglishUnited States0.390325271059216
          RT_STRING0x27e21a80x792dataEnglishUnited States0.6062951496388029
          RT_STRING0x27e293c0x896dataEnglishUnited States0.4899909008189263
          RT_STRING0x27e31d40x87edataEnglishUnited States0.547378104875805
          RT_STRING0x27e3a540x82edataEnglishUnited States0.543935052531041
          RT_STRING0x27e42840xaaedataEnglishUnited States0.35515727871250913
          RT_STRING0x27e4d340x96adataEnglishUnited States0.549792531120332
          RT_STRING0x27e56a00xa08dataEnglishUnited States0.470404984423676
          RT_STRING0x27e60a80x9fedataEnglishUnited States0.4980453479280688
          RT_STRING0x27e6aa80x304dataEnglishUnited States0.6282383419689119
          RT_STRING0x27e6dac0x142dataEnglishUnited States0.5341614906832298
          RT_STRING0x27e6ef00x10edataEnglishUnited States0.8740740740740741
          RT_STRING0x27e70000x16cdataEnglishUnited States0.7307692307692307
          RT_STRING0x27e716c0x140dataEnglishUnited States0.7
          RT_STRING0x27e72ac0x586dataEnglishUnited States0.574964639321075
          RT_STRING0x27e78340xc0adataEnglishUnited States0.36632057105775473
          RT_STRING0x27e84400xbbedataEnglishUnited States0.49933466400532267
          RT_STRING0x27e90000xad6dataEnglishUnited States0.5475847152126893
          RT_STRING0x27e9ad80xb66dataEnglishUnited States0.4609321453050034
          RT_STRING0x27ea6400xa64dataEnglishUnited States0.5789473684210527
          RT_STRING0x27eb0a40xde2dataEnglishUnited States0.4127743387732133
          RT_STRING0x27ebe880xd9cdataEnglishUnited States0.46039035591274396
          RT_STRING0x27ecc240xe30dataEnglishUnited States0.5341409691629956
          RT_STRING0x27eda540xeb4dataEnglishUnited States0.4585547290116897
          RT_STRING0x27ee9080x99cdataEnglishUnited States0.582520325203252
          RT_STRING0x27ef2a40x3d2dataEnglishUnited States0.5224948875255624
          RT_STRING0x27ef6780x3bedataEnglishUnited States0.5845511482254697
          RT_STRING0x27efa380x2d2dataEnglishUnited States0.7686980609418282
          RT_STRING0x27efd0c0x3aedataEnglishUnited States0.5859872611464968
          RT_STRING0x27f00bc0x3d6dataEnglishUnited States0.6446028513238289
          RT_STRING0x27f04940xa3adataEnglishUnited States0.45110771581359815
          RT_STRING0x27f0ed00xa06dataEnglishUnited States0.44232268121590024
          RT_STRING0x27f18d80x8f8dataEnglishUnited States0.5971254355400697
          RT_STRING0x27f21d00x9aadataEnglishUnited States0.4773645917542441
          RT_STRING0x27f2b7c0x852dataEnglishUnited States0.5629107981220657
          RT_STRING0x27f33d00x282dataEnglishUnited States0.6682242990654206
          RT_STRING0x27f36540x2c0dataEnglishUnited States0.5582386363636364
          RT_STRING0x27f39140x276dataEnglishUnited States0.7793650793650794
          RT_STRING0x27f3b8c0x2a4dataEnglishUnited States0.643491124260355
          RT_STRING0x27f3e300x278dataEnglishUnited States0.7104430379746836
          RT_STRING0x27f40a80x226dataEnglishUnited States0.7127272727272728
          RT_STRING0x27f42d00x252dataEnglishUnited States0.5589225589225589
          RT_STRING0x27f45240x224dataEnglishUnited States0.8029197080291971
          RT_STRING0x27f47480x278dataEnglishUnited States0.6329113924050633
          RT_STRING0x27f49c00x272dataEnglishUnited States0.7060702875399361
          RT_STRING0x27f4c340x628dataEnglishUnited States0.565989847715736
          RT_STRING0x27f525c0x8a8dataEnglishUnited States0.4056859205776173
          RT_STRING0x27f5b040x814dataEnglishUnited States0.6276595744680851
          RT_STRING0x27f63180x7f0dataEnglishUnited States0.514763779527559
          RT_STRING0x27f6b080x82adataEnglishUnited States0.561244019138756
          RT_STRING0x27f73340x3badataEnglishUnited States0.6666666666666666
          RT_STRING0x27f76f00x2a0dataEnglishUnited States0.4568452380952381
          RT_STRING0x27f79900x2c2dataEnglishUnited States0.7407932011331445
          RT_STRING0x27f7c540x2f2dataEnglishUnited States0.6790450928381963
          RT_STRING0x27f7f480x2b8dataEnglishUnited States0.6379310344827587
          RT_STRING0x27f82000x6bcdataEnglishUnited States0.584106728538283
          RT_STRING0x27f88bc0xb58dataEnglishUnited States0.39979338842975204
          RT_STRING0x27f94140xb90dataEnglishUnited States0.518918918918919
          RT_STRING0x27f9fa40xbaedataEnglishUnited States0.5428093645484949
          RT_STRING0x27fab540xcaedataEnglishUnited States0.4698089956869994
          RT_STRING0x27fb8040x9c8dataEnglishUnited States0.5599041533546326
          RT_STRING0x27fc1cc0xab4dataEnglishUnited States0.4332116788321168
          RT_STRING0x27fcc800xac4dataEnglishUnited States0.4923802612481858
          RT_STRING0x27fd7440xb02dataEnglishUnited States0.5603264726756565
          RT_STRING0x27fe2480xb9adataEnglishUnited States0.4663299663299663
          RT_STRING0x27fede40x96adataEnglishUnited States0.5763485477178423
          RT_STRING0x27ff7500xacadataEnglishUnited States0.44243301955104997
          RT_STRING0x280021c0xb2edataEnglishUnited States0.4723969252271139
          RT_STRING0x2800d4c0xa48dataEnglishUnited States0.5858662613981763
          RT_STRING0x28017940xb9adataEnglishUnited States0.4717171717171717
          RT_STRING0x28023300x94edataEnglishUnited States0.5541561712846348
          RT_STRING0x2802c800x7c2dataEnglishUnited States0.4778449144008056
          RT_STRING0x28034440x7b0dataEnglishUnited States0.46646341463414637
          RT_STRING0x2803bf40x716dataEnglishUnited States0.6119073869900772
          RT_STRING0x280430c0x794dataEnglishUnited States0.5195876288659794
          RT_STRING0x2804aa00x63edataEnglishUnited States0.6007509386733417
          RT_STRING0x28050e00x826dataEnglishUnited States0.5158197507190796
          RT_STRING0x28059080x8c6dataEnglishUnited States0.4238646482635797
          RT_STRING0x28061d00x7c6dataEnglishUnited States0.6025125628140704
          RT_STRING0x28069980x830dataEnglishUnited States0.5076335877862596
          RT_STRING0x28071c80x79adataEnglishUnited States0.5544707091469682
          RT_STRING0x28079640x7ecdataEnglishUnited States0.5404339250493096
          RT_STRING0x28081500x854dataEnglishUnited States0.39634146341463417
          RT_STRING0x28089a40x796dataEnglishUnited States0.5983522142121525
          RT_STRING0x280913c0x842dataEnglishUnited States0.4910122989593188
          RT_STRING0x28099800x80cdataEnglishUnited States0.5461165048543689
          RT_STRING0x280a18c0x1a0dataEnglishUnited States0.78125
          RT_STRING0x280a32c0xd4dataEnglishUnited States0.7028301886792453
          RT_STRING0x280a4000xc4dataEnglishUnited States0.9489795918367347
          RT_STRING0x280a4c40xfadataEnglishUnited States0.808
          RT_STRING0x280a5c00xe2dataEnglishUnited States0.8362831858407079
          RT_STRING0x280a6a40x298dataEnglishUnited States0.6265060240963856
          RT_STRING0x280a93c0x3a0dataEnglishUnited States0.4364224137931034
          RT_STRING0x280acdc0x362dataEnglishUnited States0.6697459584295612
          RT_STRING0x280b0400x3bedataEnglishUnited States0.5772442588726514
          RT_STRING0x280b4000x38cdataEnglishUnited States0.5605726872246696
          RT_STRING0x280b78c0x31edataEnglishUnited States0.656641604010025
          RT_STRING0x280baac0x2ecdataEnglishUnited States0.4625668449197861
          RT_STRING0x280bd980x37cdataEnglishUnited States0.6233183856502242
          RT_STRING0x280c1140x38cdataEnglishUnited States0.6420704845814978
          RT_STRING0x280c4a00x33edataEnglishUnited States0.5927710843373494
          RT_STRING0x280c7e00x178dataEnglishUnited States0.7393617021276596
          RT_GROUP_ICON0x280c9580x5adataEnglishUnited States0.7333333333333333
          RT_VERSION0x280c9b40x3e8dataEnglishUnited States0.393

          Imports

          DLLImport
          kernel32.dllGetModuleHandleA
          msvcrt.dll___lc_codepage_func

          Exports

          NameOrdinalAddress
          _cgo_dummy_export10x141137650
          secp256k1GoPanicError20x140869930
          secp256k1GoPanicIllegal30x1408698e0

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishUnited States
          ArabicSaudi Arabia
          ChineseTaiwan
          CzechCzech Republic
          DanishDenmark
          GermanGermany
          GreekGreece
          FinnishFinland
          FrenchFrance
          HebrewIsrael
          HungarianHungary
          ItalianItaly
          JapaneseJapan
          KoreanNorth Korea
          KoreanSouth Korea
          DutchNetherlands
          NorwegianNorway
          PolishPoland
          PortugueseBrazil
          RussianRussia
          SwedishSweden
          TurkishTurkey
          ChineseChina
          PortuguesePortugal

          Network Behavior

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Jul 12, 2024 08:42:29.364041090 CEST49707443192.168.2.5193.3.19.110
          Jul 12, 2024 08:42:29.364108086 CEST44349707193.3.19.110192.168.2.5
          Jul 12, 2024 08:42:29.364274979 CEST49707443192.168.2.5193.3.19.110
          Jul 12, 2024 08:42:29.364589930 CEST49707443192.168.2.5193.3.19.110
          Jul 12, 2024 08:42:29.364609957 CEST44349707193.3.19.110192.168.2.5
          Jul 12, 2024 08:42:29.364756107 CEST44349707193.3.19.110192.168.2.5

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Jul 12, 2024 08:42:49.987090111 CEST5357686162.159.36.2192.168.2.5
          Jul 12, 2024 08:42:50.460619926 CEST5238853192.168.2.51.1.1.1
          Jul 12, 2024 08:42:50.475339890 CEST53523881.1.1.1192.168.2.5

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Jul 12, 2024 08:42:50.460619926 CEST192.168.2.51.1.1.10x44eeStandard query (0)15.164.165.52.in-addr.arpaPTR (Pointer record)IN (0x0001)false

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Jul 12, 2024 08:42:50.475339890 CEST1.1.1.1192.168.2.50x44eeName error (3)15.164.165.52.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          System Behavior

          General

          Target ID:0
          Start time:02:42:21
          Start date:12/07/2024
          Path:C:\Users\user\Desktop\BrowserUpdate.exe
          Wow64 process (32bit):false
          Commandline:"C:\Users\user\Desktop\BrowserUpdate.exe"
          Imagebase:0x7ff7e2350000
          File size:55'469'264 bytes
          MD5 hash:696B3679926998B45C806A1068FFCB75
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:Go lang
          Yara matches:
          • Rule: JoeSecurity_MicroClip, Description: Yara detected MicroClip, Source: 00000000.00000002.2205746713.00007FF7E2DC8000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
          • Rule: JoeSecurity_MicroClip, Description: Yara detected MicroClip, Source: 00000000.00000000.2108717389.00007FF7E2DC8000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
          Reputation:low
          Has exited:true

          Disassembly

          No disassembly