Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
1.e.msi

Overview

General Information

Sample name:1.e.msi
Analysis ID:1560059
MD5:c6482889fe38ab6fac54f0b220ac5407
SHA1:0a69fbde5b864d04ac9c28e2361b2d2e684c8f38
SHA256:0c70a985493b30edda772a39d108743e11b52569bccbb8e5b48a271765fb998d
Infos:

Detection

DanaBot
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
Yara detected DanaBot stealer dll
AI detected suspicious sample
May use the Tor software to hide its network traffic
PE file has a writeable .text section
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains long sleeps (>= 3 min)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected non-DNS traffic on DNS port
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
Queries information about the installed CPU (vendor, model number etc)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Yara detected Credential Stealer

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 3060 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\1.e.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 2820 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • DiffDog.exe (PID: 6632 cmdline: "C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe" MD5: 4725DA5F62C1456C206E15ED7FDFBE06)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DanaBotProofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on quality over quantity in email-based threats. DanaBots modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.
  • SCULLY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.2261694829.000000000DA68000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000003.00000003.2261694829.000000000DA68000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
      00000003.00000003.2260014975.000000000D4D2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000003.00000003.2260014975.000000000D4D2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
          00000003.00000003.2258406791.000000000DA69000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 9 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-21T11:17:48.249406+010020344651Malware Command and Control Activity Detected192.168.2.549963148.251.107.246443TCP

            Joe Sandbox Signatures

            • AV Detection
            • Cryptography
            • Compliance
            • Spreading
            • Networking
            • E-Banking Fraud
            • System Summary
            • Data Obfuscation
            • Persistence and Installation Behavior
            • Hooking and other Techniques for Hiding and Protection
            • Malware Analysis System Evasion
            • Anti Debugging
            • HIPS / PFW / Operating System Protection Evasion
            • Language, Device and Operating System Detection
            • Stealing of Sensitive Information
            • Remote Access Functionality

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: Yara matchFile source: 00000003.00000003.2261694829.000000000DA68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2260014975.000000000D4D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2258406791.000000000DA69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2262520808.000000000E58B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2259094247.000000000DFFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2260967692.000000000DA67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DiffDog.exe PID: 6632, type: MEMORYSTR
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.1% probability
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_b6a28c31-3
            Source: Binary string: :ScintillaAltovaChangeExt.zip.doc.docx.svnDiffDog Find Window UNICODEIDD_SPLASH_NT|Edit with %.filedif.dirdif*?CVS.#*.biz.cml.dcd.dtd.ent.fo.math.mml.mtx.rdf.smil.svg.tld.tsd.vml.vxml.wml.wsdl.xdr.xhtml.xml.xsd.xsl.xslt.xbrl.asp.htm.html.jsp.c.cc.cpp.cs.cxx.h.hpp.tli.tlh.java.rc.py.js.avi.bmp.chm.com.dll.dot.exe.gif.gz.hlp.ico.ilk.jar.jpeg.jpg.lib.mdb.mid.mp2.mp3.mp4.mpeg.msi.obj.ogg.pdb.pdf.png.pps.ppt.rar.snd.tar.tif.tiff.ttf.wav.wma.wmf.wmv.xls.pptx.xlsx.css.txt.docm.dotx.dotminvalid hash bucket count$-7 source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp
            Source: Binary string: d:\v2025_build20240930\trunk\sources\Files\XMLSpyExeFolder\bin32\DiffDog_Release.pdb source: DiffDog.exe, 00000003.00000000.2212364428.00000000021AC000.00000002.00000001.01000000.00000003.sdmp
            Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.2.dr
            Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: vcruntime140.dll.2.dr
            Source: Binary string: uScintillaAltovaChangeExt.zip.doc.docx.svnDiffDog Find Window UNICODEIDD_SPLASH_NT|Edit with %.filedif.dirdif*?CVS.#*.biz.cml.dcd.dtd.ent.fo.math.mml.mtx.rdf.smil.svg.tld.tsd.vml.vxml.wml.wsdl.xdr.xhtml.xml.xsd.xsl.xslt.xbrl.asp.htm.html.jsp.c.cc.cpp.cs.cxx.h.hpp.tli.tlh.java.rc.py.js.avi.bmp.chm.com.dll.dot.exe.gif.gz.hlp.ico.ilk.jar.jpeg.jpg.lib.mdb.mid.mp2.mp3.mp4.mpeg.msi.obj.ogg.pdb.pdf.png.pps.ppt.rar.snd.tar.tif.tiff.ttf.wav.wma.wmf.wmv.xls.pptx.xlsx.css.txt.docm.dotx.dotminvalid hash bucket count$-7 source: DiffDog.exe.2.dr
            Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeFile opened: c:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeFile opened: C:\Users\user\AppDataJump to behavior

            Networking

            barindex
            Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49963 -> 148.251.107.246:443
            Source: global trafficTCP traffic: 192.168.2.5:49854 -> 8.8.8.8:53
            Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 185.174.135.68
            Source: unknownTCP traffic detected without corresponding DNS query: 185.174.135.68
            Source: unknownTCP traffic detected without corresponding DNS query: 185.174.135.68
            Source: unknownTCP traffic detected without corresponding DNS query: 185.174.135.68
            Source: unknownTCP traffic detected without corresponding DNS query: 185.81.114.227
            Source: unknownTCP traffic detected without corresponding DNS query: 185.81.114.227
            Source: unknownTCP traffic detected without corresponding DNS query: 185.81.114.227
            Source: unknownTCP traffic detected without corresponding DNS query: 185.81.114.227
            Source: unknownTCP traffic detected without corresponding DNS query: 23.227.178.53
            Source: unknownTCP traffic detected without corresponding DNS query: 23.227.178.53
            Source: unknownTCP traffic detected without corresponding DNS query: 23.227.178.53
            Source: unknownTCP traffic detected without corresponding DNS query: 23.227.178.53
            Source: unknownTCP traffic detected without corresponding DNS query: 23.227.178.53
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: DiffDog.exe, 00000003.00000003.2260014975.000000000D4D2000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2261694829.000000000DA68000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2260967692.000000000DA67000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2258406791.000000000DA69000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2259094247.000000000DFFB000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2262520808.000000000E58B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://.css
            Source: DiffDog.exe, 00000003.00000003.2260014975.000000000D4D2000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2261694829.000000000DA68000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2260967692.000000000DA67000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2258406791.000000000DA69000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2259094247.000000000DFFB000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2262520808.000000000E58B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://.jpg
            Source: DiffDog.exe, 00000003.00000000.2213747135.000000000339A000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://dev.mysql.com/downloads/connector/odbc
            Source: DiffDog.exe, 00000003.00000003.2260014975.000000000D4D2000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2261694829.000000000DA68000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2260967692.000000000DA67000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2258406791.000000000DA69000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2259094247.000000000DFFB000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2262520808.000000000E58B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://schemas.xmlsoap.org/wsdl/http/
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://schemas.xmlsoap.org/wsdl/mime/
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe, 00000003.00000000.2213747135.000000000339A000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.altova.com
            Source: DiffDog.exe, 00000003.00000000.2212364428.00000000021AC000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.altova.com/
            Source: DiffDog.exe, 00000003.00000003.2218951614.000000000833D000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000000.2213747135.0000000002C42000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe, 00000003.00000003.2219043595.00000000082FC000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2219168952.000000000830E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.altova.com/Access-Database-OLEDB-32bit-64bit.html
            Source: DiffDog.exe, 00000003.00000000.2213747135.000000000339A000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe, 00000003.00000000.2213747135.0000000002C42000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe, 00000003.00000003.2219043595.00000000082FC000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2219168952.000000000830E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.altova.com/Access-Database-OLEDB-32bit-64bit.html</a>
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe, 00000003.00000000.2213747135.0000000002C42000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.altova.com/catalog_ext
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.altova.com/catalog_extspy:specification_catalogspy:keepProxypublicIdrewriteURIuriStartStr
            Source: DiffDog.exe, 00000003.00000003.2219043595.00000000082FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.altova.com/dictionaries
            Source: DiffDog.exe, 00000003.00000000.2213747135.000000000339A000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe, 00000003.00000003.2219043595.00000000082FC000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2219168952.000000000830E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.altova.com/dictionaries</a>.
            Source: DiffDog.exe, 00000003.00000000.2212364428.00000000021AC000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.altova.com/en-us0.10.010.0010.00010.000010.0000010.00000010.000000010.0000000010.00000000
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://www.altova.com/mapforce
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.altova.com/namespace/meta-attribute
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.altova.com/namespace/meta-attributeresourcessymbolmodulestringdocu_commentdllexportdllexp
            Source: DiffDog.exe, 00000003.00000000.2212364428.00000000021AC000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.altova.com/samplexml/another-namespace
            Source: DiffDog.exe, 00000003.00000000.2212364428.00000000021AC000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.altova.com/samplexml/other-namespace
            Source: DiffDog.exe, 00000003.00000000.2212364428.00000000021AC000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.altova.com/samplexml/other-namespacehttp://www.altova.com/samplexml/another-namespaceauto
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.altova.com/samplexml/other-namespacehttp://www.altova.com/samplexml/another-namespaceprob
            Source: DiffDog.exe, 00000003.00000000.2212364428.00000000021AC000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.altova.com/xml-schema-extensions
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.altova.com/xml-schema-extensionsexample(
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://www.altova.com/xslt-extensions
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.altova.com8
            Source: DiffDog.exe, 00000003.00000000.2213747135.000000000339A000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.firebirdsql.org/en/odbc-driver/
            Source: DiffDog.exe, 00000003.00000000.2213747135.0000000002C42000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.iana.org/assignments/language-subtag-registry
            Source: DiffDog.exe, 00000003.00000000.2213747135.000000000339A000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.ibm.com/support
            Source: DiffDog.exe, 00000003.00000000.2213747135.0000000002C42000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.ietf.org/rfc/rfc3066.txt
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://www.opengis.net/gml
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://www.opengis.net/gml/3.2
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://www.opengis.net/gml/3.3/ce
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://www.opengis.net/gml/3.3/lr
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://www.opengis.net/gml/3.3/lro
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://www.opengis.net/gml/3.3/lrov
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://www.opengis.net/gml/3.3/lrtr
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://www.opengis.net/gml/3.3/rgrid
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://www.opengis.net/gml/3.3/tin
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://www.opengis.net/gml/3.3/xbt
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://www.opengis.net/gml/3.3/xer
            Source: DiffDog.exe, 00000003.00000000.2213747135.000000000339A000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.oracle.com/technetwork/database/enterprise-edition/downloads/112010-win32soft-098987.html
            Source: DiffDog.exe, 00000003.00000000.2213747135.000000000339A000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.postgresql.org/ftp/odbc/versions/
            Source: DiffDog.exe, 00000003.00000000.2213747135.0000000002C42000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.rfc-editor.org/rfc/bcp/bcp47.txt
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://www.wapforum.org/2001/wml
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://www.xbrl.org/2003/XLink
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.xbrl.org/2003/XLinkhttp://xbrl.org/2005/xbrldthttp://xbrl.org/2006/xbrldihttp://www.w3.or
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://www.xbrl.org/2003/instance
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://www.xbrl.org/2003/iso4217
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://www.xbrl.org/2003/linkbase
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://www.xbrl.org/2008/function/instance
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://www.xbrl.org/2008/inlineXBRL
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://www.xbrl.org/2010/function/formula
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.xbrl.org/2013/inlineXBRL
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://www.xbrl.org/inlineXBRL/transformation/2010-04-20
            Source: DiffDog.exe, 00000003.00000000.2213747135.0000000002C42000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.xmlspy.com)
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2005/xbrldi/errors
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2005/xbrldt
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2005/xbrldt/errors
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2006/xbrldi
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/assertion/consistency
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/assertion/consistency/error
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/assertion/existence
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/assertion/existence/error
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/assertion/value
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/assertion/value/error
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/filter/boolean
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/filter/boolean/error
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/filter/concept
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/filter/concept/error
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/filter/dimension
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/filter/dimension/error
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/filter/entity
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/filter/entity/error
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/filter/general
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/filter/general/error
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/filter/implicit/error
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/filter/match
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/filter/match/error
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/filter/period
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/filter/period/error
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/filter/relative
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/filter/relative/error
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/filter/segment-scenario
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/filter/segment-scenario/error
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/filter/tuple
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/filter/tuple/error
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/filter/unit
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/filter/unit/error
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/filter/value
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/filter/value/error
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/formula
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/formula/error
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/function
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/generic
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/generic/error
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/label
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/label/error
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/reference
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/reference/error
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/validation
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/validation/error
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/variable
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/variable/aspectTest
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2008/variable/error
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2010/custom-function
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2010/custom-function/error
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2010/filter/aspect-cover
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2010/filter/aspect-cover/error
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2010/filter/concept-relation
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2010/filter/concept-relation/error
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2010/message
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2010/message/error
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2010/message/validation
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2010/message/validation/error
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2010/variable/instance
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drString found in binary or memory: http://xbrl.org/2010/variable/instance/error
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://xbrl.org/2013/versioning-base
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://xmlns.oracle.com/xdbsqlxmlxmlns:sqlxmlhttp://www.iso-standards.org/mra/9075/2001/12/sqlxml
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
            Source: DiffDog.exe, 00000003.00000000.2213747135.000000000339A000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://downloads.mariadb.org/connector-odbc/
            Source: DiffDog.exe, 00000003.00000000.2213747135.000000000339A000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://downloads.teradata.com/download/connectivity/odbc-driver/windows
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://link.altova.com/api/
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://link.altova.com/api/package-manager/v1/bootstrap
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://link.altova.com/api/package-manager/v1/telemetry
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://link.altova.com/liveupdate.asp
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://link.altova.com/liveupdate.aspLicManRefererhttps://
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://link.altova.com/orderfromsw.asp?echttps://link.altova.com/keyinfo.asp?WrongEditionNoSMPSMPEx
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://link.altova.com/support_getfreeauthentic.asp?licenselocald:
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://link.staging.vie.altova.com/api/
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://link.staging.vie.altova.com/api/package-manager/v1/bootstrap
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://link.staging.vie.altova.com/api/package-manager/v1/bootstraphttps://link.altova.com/api/pack
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://link.staging.vie.altova.com/api/package-manager/v1/telemetry
            Source: DiffDog.exe, 00000003.00000003.2218951614.000000000833D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portal.azure.com/
            Source: DiffDog.exe, 00000003.00000000.2213747135.000000000339A000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe, 00000003.00000000.2213747135.0000000002C42000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe, 00000003.00000003.2219043595.00000000082FC000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2219168952.000000000830E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portal.azure.com/</a>.
            Source: DiffDog.exe, 00000003.00000000.2213747135.000000000339A000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.altova.com
            Source: DiffDog.exe, 00000003.00000003.2219043595.00000000082FC000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2219168952.000000000830E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.altova.com/eula.html
            Source: DiffDog.exe, 00000003.00000003.2219043595.00000000082FC000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2219168952.000000000830E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.altova.com/manual/
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.altova.com/manualonlineHelpServer%s/%s/%s/%s.%s/HelpTopicIds.jsonhelpTopicIdFileonlineHe
            Source: DiffDog.exe, 00000003.00000003.2219168952.000000000830E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.altova.com/privacy
            Source: DiffDog.exe, 00000003.00000003.2219043595.00000000082FC000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2219168952.000000000830E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.altova.com/privacy.html
            Source: DiffDog.exe, 00000003.00000003.2219043595.00000000082FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.altova.com/smp
            Source: DiffDog.exe, 00000003.00000000.2213747135.000000000339A000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe, 00000003.00000000.2213747135.0000000002C42000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe, 00000003.00000003.2219043595.00000000082FC000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2219168952.000000000830E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.altova.com/smp</a>.
            Source: DiffDog.exe, 00000003.00000003.2218951614.000000000833D000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2219043595.00000000082FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.altova.com/support
            Source: DiffDog.exe, 00000003.00000000.2213747135.000000000339A000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe, 00000003.00000000.2213747135.0000000002C42000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe, 00000003.00000003.2219043595.00000000082FC000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2219168952.000000000830E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.altova.com/support</a>
            Source: DiffDog.exe, 00000003.00000003.2219168952.000000000830E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.openai.com/
            Source: DiffDog.exe, 00000003.00000000.2213747135.000000000339A000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe, 00000003.00000000.2213747135.0000000002C42000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe, 00000003.00000003.2219043595.00000000082FC000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2219168952.000000000830E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.openai.com/</a>.
            Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
            Source: unknownNetwork traffic detected: HTTP traffic on port 49866 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49963
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49870
            Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49870 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49963 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49859
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49866

            E-Banking Fraud

            barindex
            Source: Yara matchFile source: 00000003.00000003.2261694829.000000000DA68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2260014975.000000000D4D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2258406791.000000000DA69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2262520808.000000000E58B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2259094247.000000000DFFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2260967692.000000000DA67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DiffDog.exe PID: 6632, type: MEMORYSTR

            System Summary

            barindex
            Source: CES_PlugInHost.dll.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4f22aa.msiJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{494D20A3-04AB-4FD6-8901-F174670D563F}Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2B94.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4f22ac.msiJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4f22ac.msiJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\4f22ac.msiJump to behavior
            Source: icudt58.dll.2.drStatic PE information: No import functions for PE file found
            Source: classification engineClassification label: mal68.troj.evad.winMSI@4/58@0/5
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CML2C20.tmpJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeMutant created: \Sessions\1\BaseNamedObjects\Local\Altova_rid_DD::P::27_YWxmb25z_mtx
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeMutant created: \Sessions\1\BaseNamedObjects\60995892
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DFD69F939F844ACE55.TMPJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
            Source: DiffDog.exe, 00000003.00000003.2260014975.000000000D4D2000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2261694829.000000000DA68000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2260967692.000000000DA67000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2258406791.000000000DA69000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2259094247.000000000DFFB000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2262520808.000000000E58B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE "version" ("graph_major" INTEGER, "schema_major" INTEGER);
            Source: DiffDog.exe, 00000003.00000003.2260014975.000000000D4D2000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2261694829.000000000DA68000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2260967692.000000000DA67000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2258406791.000000000DA69000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2259094247.000000000DFFB000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2262520808.000000000E58B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: DiffDog.exe, 00000003.00000003.2260014975.000000000D4D2000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2261694829.000000000DA68000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2260967692.000000000DA67000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2258406791.000000000DA69000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2259094247.000000000DFFB000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2262520808.000000000E58B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: DiffDog.exe, 00000003.00000003.2260014975.000000000D4D2000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2261694829.000000000DA68000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2260967692.000000000DA67000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2258406791.000000000DA69000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2259094247.000000000DFFB000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2262520808.000000000E58B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: 1.e.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 88.31%
            Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\1.e.msi"
            Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe "C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe"
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe "C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe"Jump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: cryptnet.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: mfc140u.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: msvcp140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: sqlite3.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: icuuc58.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: icuin58.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: d3d11.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: d2d1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: prntvpt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: libpng16.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: credui.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: cryptui.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: odbc32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: jhelp1.1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: icudt58.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: postsharp.patterns.model.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: resourcepolicyclient.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: d3d10warp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: dxcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: ces_pluginhost.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: cesimageutility.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: wshunix.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: avifil32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: msacm32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: winmmbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: winmmbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: pstorec.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: winsta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeWindow found: window name: SysTabControl32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeWindow detected: Number of UI elements: 18
            Source: 1.e.msiStatic file information: File size 44130304 > 1048576
            Source: Binary string: :ScintillaAltovaChangeExt.zip.doc.docx.svnDiffDog Find Window UNICODEIDD_SPLASH_NT|Edit with %.filedif.dirdif*?CVS.#*.biz.cml.dcd.dtd.ent.fo.math.mml.mtx.rdf.smil.svg.tld.tsd.vml.vxml.wml.wsdl.xdr.xhtml.xml.xsd.xsl.xslt.xbrl.asp.htm.html.jsp.c.cc.cpp.cs.cxx.h.hpp.tli.tlh.java.rc.py.js.avi.bmp.chm.com.dll.dot.exe.gif.gz.hlp.ico.ilk.jar.jpeg.jpg.lib.mdb.mid.mp2.mp3.mp4.mpeg.msi.obj.ogg.pdb.pdf.png.pps.ppt.rar.snd.tar.tif.tiff.ttf.wav.wma.wmf.wmv.xls.pptx.xlsx.css.txt.docm.dotx.dotminvalid hash bucket count$-7 source: DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp
            Source: Binary string: d:\v2025_build20240930\trunk\sources\Files\XMLSpyExeFolder\bin32\DiffDog_Release.pdb source: DiffDog.exe, 00000003.00000000.2212364428.00000000021AC000.00000002.00000001.01000000.00000003.sdmp
            Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.2.dr
            Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: vcruntime140.dll.2.dr
            Source: Binary string: uScintillaAltovaChangeExt.zip.doc.docx.svnDiffDog Find Window UNICODEIDD_SPLASH_NT|Edit with %.filedif.dirdif*?CVS.#*.biz.cml.dcd.dtd.ent.fo.math.mml.mtx.rdf.smil.svg.tld.tsd.vml.vxml.wml.wsdl.xdr.xhtml.xml.xsd.xsl.xslt.xbrl.asp.htm.html.jsp.c.cc.cpp.cs.cxx.h.hpp.tli.tlh.java.rc.py.js.avi.bmp.chm.com.dll.dot.exe.gif.gz.hlp.ico.ilk.jar.jpeg.jpg.lib.mdb.mid.mp2.mp3.mp4.mpeg.msi.obj.ogg.pdb.pdf.png.pps.ppt.rar.snd.tar.tif.tiff.ttf.wav.wma.wmf.wmv.xls.pptx.xlsx.css.txt.docm.dotx.dotminvalid hash bucket count$-7 source: DiffDog.exe.2.dr
            Source: concrt140.dll.2.drStatic PE information: 0x801EEB2B [Thu Feb 11 14:05:31 2038 UTC]
            Source: CES_PlugInHost.dll.2.drStatic PE information: real checksum: 0xc7c2d should be: 0xcfc2d
            Source: icuuc58.dll.2.drStatic PE information: real checksum: 0x13ee7d should be: 0x137742
            Source: PostSharp.Patterns.Model.dll.2.drStatic PE information: real checksum: 0x0 should be: 0xe41e6
            Source: PostSharp.Patterns.Model.dll.2.drStatic PE information: section name: _RDATA
            Source: mfc140u.dll.2.drStatic PE information: section name: .didat
            Source: jhelp1.1.dll.2.drStatic PE information: section name: _RDATA
            Source: CES_PlugInHost.dll.2.drStatic PE information: section name: .text1
            Source: CES_PlugInHost.dll.2.drStatic PE information: section name: .data1
            Source: CES_PlugInHost.dll.2.drStatic PE information: section name: _RDATA
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_1.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\icuin58.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\ucrtbase.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\icuuc58.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\libpng16.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_codecvt_ids.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\CES_PlugInHost.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\PostSharp.Patterns.Model.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\vccorlib140.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\icudt58.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_2.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\concrt140.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\jhelp1.1.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\vcruntime140.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_atomic_wait.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\mfc140u.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\sqlite3.dllJump to dropped file

            Hooking and other Techniques for Hiding and Protection

            barindex
            Source: DiffDog.exe, 00000003.00000003.2260014975.000000000D4D2000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2261694829.000000000DA68000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2260967692.000000000DA67000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2258406791.000000000DA69000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2259094247.000000000DFFB000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2262520808.000000000E58B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: torConnect
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeWindow / User API: threadDelayed 1264Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeWindow / User API: threadDelayed 679Jump to behavior
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_1.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_codecvt_ids.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\vccorlib140.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_2.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\concrt140.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_atomic_wait.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exe TID: 6848Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe TID: 5608Thread sleep time: -63200s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe TID: 5468Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe TID: 6664Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: DiffDog.exe, 00000003.00000003.2217484839.0000000003FFA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
            Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe "C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe"Jump to behavior
            Source: DiffDog.exe, 00000003.00000003.2260014975.000000000D4D2000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2261694829.000000000DA68000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2260967692.000000000DA67000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndTrayNotifyWndSysPagerToolbarWindow32U
            Source: DiffDog.exe, 00000003.00000003.2260014975.000000000D4D2000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2261694829.000000000DA68000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2260967692.000000000DA67000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: explorer.exeShell_TrayWnd
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIdJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIdJump to behavior
            Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 00000003.00000003.2261694829.000000000DA68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2260014975.000000000D4D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2258406791.000000000DA69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2262520808.000000000E58B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2259094247.000000000DFFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2260967692.000000000DA67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DiffDog.exe PID: 6632, type: MEMORYSTR
            Source: Yara matchFile source: 00000003.00000003.2261694829.000000000DA68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2260014975.000000000D4D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2258406791.000000000DA69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2262520808.000000000E58B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2259094247.000000000DFFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2260967692.000000000DA67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DiffDog.exe PID: 6632, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 00000003.00000003.2261694829.000000000DA68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2260014975.000000000D4D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2258406791.000000000DA69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2262520808.000000000E58B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2259094247.000000000DFFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2260967692.000000000DA67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DiffDog.exe PID: 6632, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure1
            Replication Through Removable Media            		Windows Management Instrumentation1
            DLL Side-Loading            		2
            Process Injection            		11
            Masquerading            		OS Credential Dumping1
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		2
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Disable or Modify Tools            		LSASS Memory2
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Multi-hop Proxy            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)21
            Virtualization/Sandbox Evasion            		Security Account Manager21
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture1
            Proxy            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Timestomp            		LSA Secrets11
            Peripheral Device Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials1
            System Owner/User Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            File Deletion            		DCSync2
            File and Directory Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem43
            System Information Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1560059 Sample: 1.e.msi Startdate: 21/11/2024 Architecture: WINDOWS Score: 68 29 Suricata IDS alerts for network traffic 2->29 31 Yara detected DanaBot stealer dll 2->31 33 PE file has a writeable .text section 2->33 35 AI detected suspicious sample 2->35 6 msiexec.exe 107 67 2->6         started        9 msiexec.exe 3 2->9         started        process3 file4 15 C:\Users\user\AppData\...\vcruntime140.dll, PE32 6->15 dropped 17 C:\Users\user\AppData\...\vccorlib140.dll, PE32 6->17 dropped 19 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 6->19 dropped 21 16 other files (none is malicious) 6->21 dropped 11 DiffDog.exe 29 6->11         started        process5 dnsIp6 23 148.251.107.246, 443, 49859, 49963 HETZNER-ASDE Germany 11->23 25 185.81.114.227, 443, 49866 HZ-NL-ASGB United Kingdom 11->25 27 3 other IPs or domains 11->27 37 May use the Tor software to hide its network traffic 11->37 signatures7

            Screenshots

            Download Video

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            No Antivirus matches

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\CES_PlugInHost.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\concrt140.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\icudt58.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\icuin58.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\libpng16.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\mfc140u.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_1.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_2.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_atomic_wait.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_codecvt_ids.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\sqlite3.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\ucrtbase.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\vccorlib140.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\vcruntime140.dll0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.altova.com/dictionaries0%Avira URL Cloudsafe
            http://www.firebirdsql.org/en/odbc-driver/0%Avira URL Cloudsafe
            http://www.xbrl.org/2003/XLink0%Avira URL Cloudsafe
            http://www.altova.com/xml-schema-extensions0%Avira URL Cloudsafe
            http://xmlns.oracle.com/xdbsqlxmlxmlns:sqlxmlhttp://www.iso-standards.org/mra/9075/2001/12/sqlxml0%Avira URL Cloudsafe
            http://www.xbrl.org/2003/instance0%Avira URL Cloudsafe
            http://www.opengis.net/gml/3.3/xer0%Avira URL Cloudsafe
            http://www.xbrl.org/2010/function/formula0%Avira URL Cloudsafe
            http://www.altova.com/en-us0.10.010.0010.00010.000010.0000010.00000010.000000010.0000000010.000000000%Avira URL Cloudsafe
            http://www.altova.com/samplexml/other-namespacehttp://www.altova.com/samplexml/another-namespaceauto0%Avira URL Cloudsafe
            https://link.altova.com/support_getfreeauthentic.asp?licenselocald:0%Avira URL Cloudsafe
            http://www.altova.com/samplexml/another-namespace0%Avira URL Cloudsafe
            https://link.altova.com/liveupdate.aspLicManRefererhttps://0%Avira URL Cloudsafe
            http://www.opengis.net/gml/3.3/lrtr0%Avira URL Cloudsafe
            http://www.xbrl.org/2003/XLinkhttp://xbrl.org/2005/xbrldthttp://xbrl.org/2006/xbrldihttp://www.w3.or0%Avira URL Cloudsafe
            https://www.altova.com/smp0%Avira URL Cloudsafe
            http://www.altova.com/samplexml/other-namespace0%Avira URL Cloudsafe
            http://www.xbrl.org/2003/linkbase0%Avira URL Cloudsafe
            https://www.altova.com/support</a>0%Avira URL Cloudsafe
            http://www.opengis.net/gml/3.3/rgrid0%Avira URL Cloudsafe
            http://www.altova.com/mapforce0%Avira URL Cloudsafe
            http://www.altova.com/catalog_extspy:specification_catalogspy:keepProxypublicIdrewriteURIuriStartStr0%Avira URL Cloudsafe
            http://www.altova.com/xml-schema-extensionsexample(0%Avira URL Cloudsafe
            http://www.altova.com0%Avira URL Cloudsafe
            https://www.altova.com/privacy0%Avira URL Cloudsafe
            http://www.altova.com/0%Avira URL Cloudsafe
            http://www.xbrl.org/2013/inlineXBRL0%Avira URL Cloudsafe
            http://www.altova.com80%Avira URL Cloudsafe
            https://link.staging.vie.altova.com/api/package-manager/v1/bootstrap0%Avira URL Cloudsafe
            https://www.altova.com/privacy.html0%Avira URL Cloudsafe
            https://downloads.mariadb.org/connector-odbc/0%Avira URL Cloudsafe
            https://link.altova.com/api/0%Avira URL Cloudsafe
            http://www.opengis.net/gml/3.3/lrov0%Avira URL Cloudsafe
            https://www.altova.com/smp</a>.0%Avira URL Cloudsafe
            https://www.altova.com/manualonlineHelpServer%s/%s/%s/%s.%s/HelpTopicIds.jsonhelpTopicIdFileonlineHe0%Avira URL Cloudsafe
            http://www.opengis.net/gml/3.3/lro0%Avira URL Cloudsafe
            http://www.wapforum.org/2001/wml0%Avira URL Cloudsafe
            https://link.altova.com/liveupdate.asp0%Avira URL Cloudsafe
            https://link.altova.com/api/package-manager/v1/telemetry0%Avira URL Cloudsafe
            http://www.altova.com/Access-Database-OLEDB-32bit-64bit.html0%Avira URL Cloudsafe

            Domains and IPs

            Download Network PCAP: filteredfull

            Contacted Domains

            No contacted domains info
            NameSourceMaliciousAntivirus DetectionReputation
            http://www.altova.com/en-us0.10.010.0010.00010.000010.0000010.00000010.000000010.0000000010.00000000DiffDog.exe, 00000003.00000000.2212364428.00000000021AC000.00000002.00000001.01000000.00000003.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.xbrl.org/2003/XLinkDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.altova.com/dictionariesDiffDog.exe, 00000003.00000003.2219043595.00000000082FC000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.xbrl.org/2010/function/formulaDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://xbrl.org/2008/filter/periodDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
              		high
              http://www.altova.com/xml-schema-extensionsDiffDog.exe, 00000003.00000000.2212364428.00000000021AC000.00000002.00000001.01000000.00000003.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.firebirdsql.org/en/odbc-driver/DiffDog.exe, 00000003.00000000.2213747135.000000000339A000.00000002.00000001.01000000.00000003.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.opengis.net/gml/3.3/xerDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
              • Avira URL Cloud: safe
              		unknown
              http://xbrl.org/2010/filter/concept-relationDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                		high
                http://xbrl.org/2008/filter/match/errorDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                  		high
                  http://xmlns.oracle.com/xdbsqlxmlxmlns:sqlxmlhttp://www.iso-standards.org/mra/9075/2001/12/sqlxmlDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.altova.com/samplexml/other-namespacehttp://www.altova.com/samplexml/another-namespaceautoDiffDog.exe, 00000003.00000000.2212364428.00000000021AC000.00000002.00000001.01000000.00000003.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://xbrl.org/2010/custom-functionDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                    		high
                    http://xbrl.org/2010/filter/aspect-cover/errorDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                      		high
                      http://xbrl.org/2008/filter/dimension/errorDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                        		high
                        http://xbrl.org/2008/generic/errorDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                          		high
                          https://curl.se/docs/hsts.htmlDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpfalse
                            		high
                            http://www.xbrl.org/2003/instanceDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://xbrl.org/2008/filter/concept/errorDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                              		high
                              http://xbrl.org/2010/message/validationDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                		high
                                http://www.opengis.net/gml/3.2DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                  		high
                                  https://link.altova.com/liveupdate.aspLicManRefererhttps://DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://xbrl.org/2008/filter/relative/errorDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                    		high
                                    https://link.altova.com/support_getfreeauthentic.asp?licenselocald:DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.opengis.net/gml/3.3/lrtrDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://xbrl.org/2008/filter/booleanDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                      		high
                                      http://www.altova.com/samplexml/another-namespaceDiffDog.exe, 00000003.00000000.2212364428.00000000021AC000.00000002.00000001.01000000.00000003.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.xbrl.org/2003/XLinkhttp://xbrl.org/2005/xbrldthttp://xbrl.org/2006/xbrldihttp://www.w3.orDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.altova.com/smpDiffDog.exe, 00000003.00000003.2219043595.00000000082FC000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.altova.com/samplexml/other-namespaceDiffDog.exe, 00000003.00000000.2212364428.00000000021AC000.00000002.00000001.01000000.00000003.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.openai.com/DiffDog.exe, 00000003.00000003.2219168952.000000000830E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/soap/encoding/DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                          		high
                                          http://xbrl.org/2008/filter/period/errorDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                            		high
                                            http://www.postgresql.org/ftp/odbc/versions/DiffDog.exe, 00000003.00000000.2213747135.000000000339A000.00000002.00000001.01000000.00000003.sdmpfalse
                                              		high
                                              http://xbrl.org/2008/filter/dimensionDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                		high
                                                http://xbrl.org/2008/variable/errorDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                  		high
                                                  http://xbrl.org/2013/versioning-baseDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpfalse
                                                    		high
                                                    http://xbrl.org/2008/validationDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                      		high
                                                      http://xbrl.org/2008/filter/conceptDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                        		high
                                                        https://curl.se/docs/alt-svc.htmlDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpfalse
                                                          		high
                                                          http://xbrl.org/2008/filter/matchDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                            		high
                                                            http://xbrl.org/2008/filter/generalDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                              		high
                                                              http://www.xbrl.org/2003/linkbaseDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://xbrl.org/2008/assertion/consistencyDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                		high
                                                                http://xbrl.org/2008/formula/errorDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                  		high
                                                                  http://www.opengis.net/gml/3.3/rgridDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://xbrl.org/2010/filter/concept-relation/errorDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                    		high
                                                                    http://www.rfc-editor.org/rfc/bcp/bcp47.txtDiffDog.exe, 00000003.00000000.2213747135.0000000002C42000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                      		high
                                                                      http://xbrl.org/2008/filter/segment-scenario/errorDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                        		high
                                                                        http://xbrl.org/2008/variable/aspectTestDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                          		high
                                                                          https://www.altova.com/support</a>DiffDog.exe, 00000003.00000000.2213747135.000000000339A000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe, 00000003.00000000.2213747135.0000000002C42000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe, 00000003.00000003.2219043595.00000000082FC000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2219168952.000000000830E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://xbrl.org/2010/filter/aspect-coverDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                            		high
                                                                            http://www.altova.com/mapforceDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/wsdl/http/DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                              		high
                                                                              http://xbrl.org/2008/filter/entity/errorDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                                		high
                                                                                http://xbrl.org/2008/reference/errorDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                                  		high
                                                                                  http://dev.mysql.com/downloads/connector/odbcDiffDog.exe, 00000003.00000000.2213747135.000000000339A000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/wsdl/DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                                      		high
                                                                                      http://www.altova.com/xml-schema-extensionsexample(DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://www.altova.com/catalog_extspy:specification_catalogspy:keepProxypublicIdrewriteURIuriStartStrDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://www.xmlspy.com)DiffDog.exe, 00000003.00000000.2213747135.0000000002C42000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                        		high
                                                                                        https://www.altova.com/privacyDiffDog.exe, 00000003.00000003.2219168952.000000000830E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://www.altova.com/DiffDog.exe, 00000003.00000000.2212364428.00000000021AC000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://www.xbrl.org/2013/inlineXBRLDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://www.openai.com/</a>.DiffDog.exe, 00000003.00000000.2213747135.000000000339A000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe, 00000003.00000000.2213747135.0000000002C42000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe, 00000003.00000003.2219043595.00000000082FC000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2219168952.000000000830E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/wsdl/mime/DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                                            		high
                                                                                            http://www.altova.comDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe, 00000003.00000000.2213747135.000000000339A000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://www.altova.com8DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://html4/loose.dtdDiffDog.exe, 00000003.00000003.2260014975.000000000D4D2000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2261694829.000000000DA68000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2260967692.000000000DA67000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2258406791.000000000DA69000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2259094247.000000000DFFB000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2262520808.000000000E58B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://www.altova.com/privacy.htmlDiffDog.exe, 00000003.00000003.2219043595.00000000082FC000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2219168952.000000000830E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://link.staging.vie.altova.com/api/package-manager/v1/bootstrapDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://portal.azure.com/DiffDog.exe, 00000003.00000003.2218951614.000000000833D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://downloads.mariadb.org/connector-odbc/DiffDog.exe, 00000003.00000000.2213747135.000000000339A000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://link.altova.com/api/DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://www.altova.com/smp</a>.DiffDog.exe, 00000003.00000000.2213747135.000000000339A000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe, 00000003.00000000.2213747135.0000000002C42000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe, 00000003.00000003.2219043595.00000000082FC000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2219168952.000000000830E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://www.opengis.net/gml/3.3/lroDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://xbrl.org/2008/filter/valueDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                                                  		high
                                                                                                  http://xbrl.org/2010/messageDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                                                    		high
                                                                                                    http://www.wapforum.org/2001/wmlDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://xbrl.org/2008/assertion/valueDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/soap/envelope/DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                                                        		high
                                                                                                        https://www.altova.com/manualonlineHelpServer%s/%s/%s/%s.%s/HelpTopicIds.jsonhelpTopicIdFileonlineHeDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://xbrl.org/2008/filter/value/errorDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                                                          		high
                                                                                                          http://www.opengis.net/gml/3.3/lrovDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://xbrl.org/2008/filter/tuple/errorDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                                                            		high
                                                                                                            https://link.altova.com/liveupdate.aspDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://link.altova.com/api/package-manager/v1/telemetryDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://xbrl.org/2005/xbrldtDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                                                              		high
                                                                                                              http://xbrl.org/2008/filter/unitDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                                                                		high
                                                                                                                http://xbrl.org/2010/custom-function/errorDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                                                                  		high
                                                                                                                  http://xbrl.org/2008/assertion/existenceDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                                                                    		high
                                                                                                                    http://.cssDiffDog.exe, 00000003.00000003.2260014975.000000000D4D2000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2261694829.000000000DA68000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2260967692.000000000DA67000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2258406791.000000000DA69000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2259094247.000000000DFFB000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2262520808.000000000E58B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://www.altova.com/Access-Database-OLEDB-32bit-64bit.htmlDiffDog.exe, 00000003.00000003.2218951614.000000000833D000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000000.2213747135.0000000002C42000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe, 00000003.00000003.2219043595.00000000082FC000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000003.00000003.2219168952.000000000830E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://xbrl.org/2005/xbrldi/errorsDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                                                                        		high
                                                                                                                        http://xbrl.org/2006/xbrldiDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                                                                          		high
                                                                                                                          http://xbrl.org/2010/variable/instanceDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/wsdl/soap/DiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                                                                              		high
                                                                                                                              http://xbrl.org/2008/filter/unit/errorDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                                                                                		high
                                                                                                                                http://www.opengis.net/gmlDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                                                                                  		high
                                                                                                                                  http://xbrl.org/2005/xbrldt/errorsDiffDog.exe, 00000003.00000000.2212364428.0000000001E62000.00000002.00000001.01000000.00000003.sdmp, DiffDog.exe.2.drfalse
                                                                                                                                    		high

                                                                                                                                    World Map of Contacted IPs

                                                                                                                                    • No. of IPs < 25%
                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                    • 75% < No. of IPs

                                                                                                                                    Public IPs

                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                    8.8.8.8
                                                                                                                                    		unknownUnited States
                                                                                                                                    		15169GOOGLEUSfalse
                                                                                                                                    185.174.135.68
                                                                                                                                    		unknownIran (ISLAMIC Republic Of)
                                                                                                                                    		24768ALMOUROLTECPTfalse
                                                                                                                                    148.251.107.246
                                                                                                                                    		unknownGermany
                                                                                                                                    		24940HETZNER-ASDEtrue
                                                                                                                                    185.81.114.227
                                                                                                                                    		unknownUnited Kingdom
                                                                                                                                    		59711HZ-NL-ASGBfalse
                                                                                                                                    23.227.178.53
                                                                                                                                    		unknownUnited States
                                                                                                                                    		29802HVC-ASUSfalse

                                                                                                                                    General Information

                                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                                    Analysis ID:1560059
                                                                                                                                    Start date and time:2024-11-21 11:14:46 +01:00
                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                    Overall analysis duration:0h 6m 48s
                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                    Report type:full
                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                    Run name:Potential for more IOCs and behavior
                                                                                                                                    Number of analysed new started processes analysed:6
                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                    Technologies:
                                                                                                                                    • EGA enabled
                                                                                                                                    • AMSI enabled
                                                                                                                                    Analysis Mode:default
                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                    Sample name:1.e.msi
                                                                                                                                    Detection:MAL
                                                                                                                                    Classification:mal68.troj.evad.winMSI@4/58@0/5
                                                                                                                                    Cookbook Comments:
                                                                                                                                    • Found application associated with file extension: .msi
                                                                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                    • Excluded IPs from analysis (whitelisted): 2.22.50.144, 2.22.50.131
                                                                                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
                                                                                                                                    • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                    • VT rate limit hit for: 1.e.msi

                                                                                                                                    Simulations

                                                                                                                                    Behavior and APIs

                                                                                                                                    TimeTypeDescription
                                                                                                                                    05:15:45API Interceptor1x Sleep call for process: msiexec.exe modified
                                                                                                                                    05:16:32API Interceptor1044x Sleep call for process: DiffDog.exe modified

                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                    IPs

                                                                                                                                    No context

                                                                                                                                    Domains

                                                                                                                                    No context

                                                                                                                                    ASNs

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    ALMOUROLTECPTPedido de Cota#U00e7#U00e3o-241107.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                    • 94.46.181.151
                                                                                                                                    http://loginmcsoftmlcrosoftoni365.madrides.copypremium.com/?reactivador/ahora0D1%20/=YWxvbnNvYmFAbWFkcmlkLmVzGet hashmaliciousUnknownBrowse
                                                                                                                                    • 94.46.180.190
                                                                                                                                    mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 185.174.135.118
                                                                                                                                    xmpsl.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 185.174.135.118
                                                                                                                                    ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 185.174.135.118
                                                                                                                                    mpsl.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 185.174.135.118
                                                                                                                                    http://360mozambique.com/Get hashmaliciousUnknownBrowse
                                                                                                                                    • 130.185.81.219
                                                                                                                                    Remittance_Advise_03092024.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                    • 130.185.87.6
                                                                                                                                    nested-ConsultTrustNorth-payment Requisition #42 3L# 1414 18 Dock.pdf..emlGet hashmaliciousUnknownBrowse
                                                                                                                                    • 94.46.22.222
                                                                                                                                    b2bXo6vmDm.exeGet hashmaliciousSystemBCBrowse
                                                                                                                                    • 94.46.168.88
                                                                                                                                    HETZNER-ASDEexe009.exeGet hashmaliciousEmotetBrowse
                                                                                                                                    • 195.201.56.70
                                                                                                                                    owari.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 195.201.30.54
                                                                                                                                    ________.exeGet hashmaliciousQuasarBrowse
                                                                                                                                    • 195.201.57.90
                                                                                                                                    bPRQRIfbbq.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 95.216.12.30
                                                                                                                                    bPRQRIfbbq.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 168.119.160.252
                                                                                                                                    AD6dpKQm7n.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 144.76.175.205
                                                                                                                                    AD6dpKQm7n.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 195.201.9.37
                                                                                                                                    ickTGSF56D.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 185.229.90.81
                                                                                                                                    ickTGSF56D.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 91.107.171.171
                                                                                                                                    Zam#U00f3wienie 89118 _ Metal-Constructions.pdf.com.exeGet hashmaliciousQuasarBrowse
                                                                                                                                    • 195.201.57.90
                                                                                                                                    HVC-ASUSDelivery_Notification_00000896751.doc.jsGet hashmaliciousUnknownBrowse
                                                                                                                                    • 66.206.1.146
                                                                                                                                    Delivery_Notification_00116030.doc.jsGet hashmaliciousUnknownBrowse
                                                                                                                                    • 66.206.1.146
                                                                                                                                    PO-73375.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                                                                    • 66.206.23.186
                                                                                                                                    bPRQRIfbbq.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 104.254.130.186
                                                                                                                                    https://us10.mipcm.com:9743/pub/windows/mipc/v9.1.1.2201131522/MIPC_Setup_v9.1.1.2201131522.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 209.133.212.170
                                                                                                                                    otis.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 162.252.175.131
                                                                                                                                    botnet.x86.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                    • 199.193.112.254
                                                                                                                                    cIs9D0juC8.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                    • 23.227.202.197
                                                                                                                                    KC0uZWwr8p.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                    • 151.236.16.15
                                                                                                                                    KC0uZWwr8p.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                    • 151.236.16.15
                                                                                                                                    HZ-NL-ASGBJGWfssorui.dllGet hashmaliciousDanaBotBrowse
                                                                                                                                    • 185.117.90.36
                                                                                                                                    ElTZP4yjRG.dllGet hashmaliciousDanaBotBrowse
                                                                                                                                    • 185.117.90.36
                                                                                                                                    H6PtrbXJ9Q.dllGet hashmaliciousDanaBotBrowse
                                                                                                                                    • 185.117.90.36
                                                                                                                                    JGWfssorui.dllGet hashmaliciousDanaBotBrowse
                                                                                                                                    • 185.117.90.36
                                                                                                                                    ElTZP4yjRG.dllGet hashmaliciousDanaBotBrowse
                                                                                                                                    • 185.117.90.36
                                                                                                                                    H6PtrbXJ9Q.dllGet hashmaliciousDanaBotBrowse
                                                                                                                                    • 185.117.90.36
                                                                                                                                    Mj1o4aZG6y.dllGet hashmaliciousDanaBotBrowse
                                                                                                                                    • 185.117.90.36
                                                                                                                                    OYGqoSlvmi.dllGet hashmaliciousDanaBotBrowse
                                                                                                                                    • 185.117.90.36
                                                                                                                                    Mj1o4aZG6y.dllGet hashmaliciousDanaBotBrowse
                                                                                                                                    • 185.117.90.36
                                                                                                                                    OYGqoSlvmi.dllGet hashmaliciousDanaBotBrowse
                                                                                                                                    • 185.117.90.36

                                                                                                                                    JA3 Fingerprints

                                                                                                                                    No context

                                                                                                                                    Dropped Files

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\CES_PlugInHost.dllyJYNZgoiNh.msiGet hashmaliciousDanaBot, RHADAMANTHYSBrowse

                                                                                                                                      Created / dropped Files

                                                                                                                                      C:\Config.Msi\4f22ab.rbs

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:modified
                                                                                                                                      Size (bytes):14217
                                                                                                                                      Entropy (8bit):5.782133404800876
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:pm32izSLUIXIci0WGgspgOPm3iwF5eozlggkpUUU4CsThqHUUU4C6jR3XEThqaHX:pmPSLUIXIcS5eBiJPIBJPlEPL0p7
                                                                                                                                      MD5:16E5B0DF05ACAE86C2F0B6499237C7DC
                                                                                                                                      SHA1:82C7D9C7D2D393BD3B2480E1D468447C816E93E6
                                                                                                                                      SHA-256:EE35A0A0E50C2C36A31A9FED3027C1FD8775D26C0FF3E83A91C6152CF3782B67
                                                                                                                                      SHA-512:E68C8FBBECF9639B589D3D503348D51D2F2918F72B643E30D1D197160DA772AC105BB6E7A4ECB019A425C05680DFAEB156A17B13CB826B240FE938D78256416B
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview:...@IXOS.@.....@.)uY.@.....@.....@.....@.....@.....@......&.{494D20A3-04AB-4FD6-8901-F174670D563F}..MotiveWave Proffesional..1.e.msi.@.....@.....@.....@........&.{AE533901-3C2C-472E-962D-EC625A769D04}.....@.....@.....@.....@.......@.....@.....@.......@......MotiveWave Proffesional......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{E25DC234-7628-6376-8C4F-A0A9098FCA45}&.{494D20A3-04AB-4FD6-8901-F174670D563F}.@......&.{D68C2780-F9C3-81E8-0F41-7C694D8990E4}&.{494D20A3-04AB-4FD6-8901-F174670D563F}.@......&.{CAB78203-16F2-2578-2018-CE2829DF386C}&.{494D20A3-04AB-4FD6-8901-F174670D563F}.@......&.{3F182DF9-CF16-E26C-D6D5-EEEC3DE9133D}&.{494D20A3-04AB-4FD6-8901-F174670D563F}.@......&.{5AB29011-62BD-1767-4357-5685FD119F8C}&.{494D20A3-04AB-4FD6-8901-F174670D563F}.@......&.{DE3E957E-08CD-F98F-6829-831E651A10C9}&.{494D20A3-04AB-4FD6-8901-F174670D563F}.@......&.{49EF81A1-5FAD-FFDD-FB1F-5B7C47D4205C}&.{

                                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):71954
                                                                                                                                      Entropy (8bit):7.996617769952133
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                                                                      MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                                                                      SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                                                                      SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                                                                      SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:high, very likely benign file
                                                                                                                                      Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:modified
                                                                                                                                      Size (bytes):328
                                                                                                                                      Entropy (8bit):3.134192963226759
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:kK6yNF9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:CesDnLNkPlE99SNxAhUe/3
                                                                                                                                      MD5:AC648BFEAF83E8E1E1A5C346428BA41E
                                                                                                                                      SHA1:2CBBDEFD9558C501EF516E693475958A1099AA1A
                                                                                                                                      SHA-256:C02C09F9D2387AFC4B4F7CD542316D73A16C7B5C3D661591DA470DEEAB17FC4C
                                                                                                                                      SHA-512:64DF7C33A251E0A314ECAA321322879D4AABA78CBB4F294A0BB44905EDE312F0C443C1FA99317E36CCE58E4F472DE020BD90297DB33C35B38C84972F3CC8DFB3
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview:p...... ........4r.S.;..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\Asset.wav

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 44100 Hz
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3294764
                                                                                                                                      Entropy (8bit):7.496644508270185
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:49152:B3MSGT5V5gjv0clnTVh5snYWyvKIQIBayw6argJVebvpcOtov6:WSmV5gbFlnBh5pHSIQI1x8bhcOtc
                                                                                                                                      MD5:BCFAF0B488D6F9202E19DA2AF421295C
                                                                                                                                      SHA1:31CB4E8451DA080447AD24F020642D234CFD9C3F
                                                                                                                                      SHA-256:1EBC3E97D024B35FBD06D88CA73111C40C18A0F7F538E301C1C59D0CF5E76C73
                                                                                                                                      SHA-512:55E585799C29DFA5DD77285AD09CC52D9C99E6D2324FCB76FA0F0D80DB7A0AFB7ABAEA0D1548625FEB8E2E6775271A4D5A903ECA85D334C72B4B4E4CEFE8F76F
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview:RIFF$F2.WAVEfmt ........D...........data.F2.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\Assets\DiffDog.png

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:PNG image data, 256 x 256, 8-bit/color RGB, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):6964
                                                                                                                                      Entropy (8bit):7.888302991768184
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:u3ctrnjvx0h0ZhMFjt6yAOPlO/oupwXnqMli5Y:uYrjvxm0cFZU/PwXLlAY
                                                                                                                                      MD5:EA257A08F4311B77D02F0DBA3F1734CC
                                                                                                                                      SHA1:D4D7A73A562D3FA9986C47EED0E172CD7D583FA4
                                                                                                                                      SHA-256:20AB1C341364D83285C82DE62408796667CBA9BE7AE65C915D4E1E12EF7AD97B
                                                                                                                                      SHA-512:E69EDD5004252E0B9F42510BC428573E2F249CDE3622784B14F0AE1830FAC7ED44457726F4C411D2AC4F9DEF0DFFD85FEC6EAAD55041E0B4F86E4738412C5FF4
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview:.PNG........IHDR...............?1....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.mPTW......6t...@..AA!+.G2%.;&~l...h.n..l.&.j2.1..GjcM.GfR.'U;)M....-......B*.........A.n".((.I.m..t7..=..s.y...=.G....=.|<....?. ....'.(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(.......I.....]..........Y...Z..L....h..x.X.761.;L.g...t.$...8.................p........8..0>.gM...d:P..@.C.k...Q.U.pe8A...eH...4.M}.M}..}<4..*r.+r..(P.]@*.A.....G.$!..a.@..."....R.U....fBY.".V.. 6P.....\...Jg.`."(.......t....g-.'+/.4Ps@@....C............R......?r.....<...U.X......`.'@.........6c.O.h.....I.r.`..,........*.<R....W..2"...."..o.........x.e.TSn......r..#..<.A.i..\.~.J{dD6..wi..{g0..dD.....A..`.........2..o.c.....v.Q%oU`C..\.?z.4..Tm_Y.c%iH......:~....,...K..#..=.....[..R.o.\.M.h.....gH......V..ev...{gpU.P..[.m.Z......._Xd).$......SJm.......6...`.+...R..../..3.....H[<...._..w@2.0.eDd.d. .s...0.eDX.......P.3Y..S.

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\CES_PlugInHost.dll

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):793896
                                                                                                                                      Entropy (8bit):6.361162287984917
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:jS7GF1lwwJ5Pb6DCgog1POF+/Iox3xqmodIgysRl38sWKLlWCRFR0eQdzOaGaMiQ:jSypS7sRl38VKLlWC/R2d9GTiJKDBWWT
                                                                                                                                      MD5:49CE1F597A415370D85C1BF7AA9C8C56
                                                                                                                                      SHA1:5F98F65879D3701D9E1BDB5F68B02F59F5020F55
                                                                                                                                      SHA-256:6CAF24C107B6D10504E73DEC841C4169D5F5A4D366B699402C8D2A51E877032E
                                                                                                                                      SHA-512:1B730E43311808105F39273A5A940BBECCDDD22058F3046BE5771F9AC51B5A2E372774026EE79BF38261BD6026CF9B4EB0260075EBDE932C5687720C80BDBA6A
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Joe Sandbox View:
                                                                                                                                      • Filename: yJYNZgoiNh.msi, Detection: malicious, Browse
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........-@n|~@n|~@n|~..~An|~^<.~Bn|~...~in|~...~.n|~...~zn|~I..~Qn|~@n}~.n|~@n|~cn|~...~An|~...~An|~...~An|~Rich@n|~........................PE..L.....*Z...........!.....&...................@...............................`......-|....@..........................1..S....!..........................(3......$U...C..8...............................@............@...............................text............................... ....text1..4.... ... .................. ..`.rdata.......@.......*..............@..@.data...8b...@...8..................@....data1...........0...T..............@..._RDATA..@...........................@..@.rsrc...............................@..@.reloc...[.......\..................@..B........................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\Catalog.xsd

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):8041
                                                                                                                                      Entropy (8bit):4.9565671053416755
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:aLGVxrHPu3Wds+i9AcE0y0U0p0q0u0i0z0k70b0E0zHPu3Wds+i9Uf:a6xrHPu3Wds+i9AcE0y0U0p0q0u0i0z5
                                                                                                                                      MD5:6C0B3D979D22421930C9B239EB07E475
                                                                                                                                      SHA1:915AB07AFFBC8BC6C49FBC9130A9365D03D18E84
                                                                                                                                      SHA-256:A45D1CBFA731390FC62804D2D2C22C31AE9F1B8F77EB93ECB47900F4F1C481B5
                                                                                                                                      SHA-512:2AC395450F9C6D1BD72BB677681558FBADD0F41ED1CB9A49F400C333C270842544FBAAB2DE2C6A4E525D3E51D01D227A0F0BD22609903EEBD89DB865F944F188
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:er="urn:oasis:names:tc:entity:xmlns:xml:catalog" targetNamespace="urn:oasis:names:tc:entity:xmlns:xml:catalog" elementFormDefault="qualified">... $Id: catalog.xsd,v 1.15 2005/10/07 13:27:08 ndw Exp $ -->...<xs:simpleType name="pubIdChars">....<xs:restriction base="xs:string">.....<xs:pattern value="[a-zA-Z0-9\-'\(\)+,./:=?;!*#@$_%]*"/>....</xs:restriction>.... A string of the characters defined as pubIdChar in production 13.. of the Second Edition of the XML 1.0 Recommendation. Does not include.. the whitespace characters because they're normalized by XML parsing. -->...</xs:simpleType>...<xs:simpleType name="publicIdentifier">....<xs:restriction base="er:pubIdChars"/>...</xs:simpleType>...<xs:simpleType name="partialPublicIdentifier">....<xs:restriction base="er:pubIdChars"/>...</xs:simpleType>...<xs:simpleType name="systemOrPublic">....<xs:restriction base="xs:

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\CoreCatalog.xml

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):613
                                                                                                                                      Entropy (8bit):5.094466343717647
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:TMHdffwQKY8i9zfcIB1FfsJySbxSKhx3xSKc6fU:2dfR8K0AgySdPxBW6fU
                                                                                                                                      MD5:82C475E52E98D51397AB41136B92DA61
                                                                                                                                      SHA1:6BE18BD43EA1423930FB26B70B3C5685674ABC20
                                                                                                                                      SHA-256:57DCD5CE9C45E8DF9944F39D1B3F2884264981FFCFF9D07886C02879E770C7AA
                                                                                                                                      SHA-512:14E74C40F8F3D08A1182393B273CFE448C038A31A6CA6F52D27A9F8BE3F825411630A860F999098637732212431DF436C054D2B6169B5CFBCCDA72BD76E196A5
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:<?xml version="1.0" encoding="UTF-8"?>..<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog" xmlns:spy="http://www.altova.com/catalog_ext" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:entity:xmlns:xml:catalog..Catalog.xsd">... OASIS catalog -->...<uri name="urn:oasis:names:tc:entity:xmlns:xml:catalog" uri="Catalog.xsd"/>... Global remapping of folders -->...<rewriteURI uriStartString="http://www.altova.com/sps/" rewritePrefix="sps/"/>...<rewriteURI uriStartString="http://www.altova.com/stylesheets/" rewritePrefix="stylesheets/"/>..</catalog>..

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):56488784
                                                                                                                                      Entropy (8bit):6.5969305669123806
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:786432:MyHtEcPdUNaQ7GQPgOwm/BLlu26kpzin9CRPsz51raPqP1b6aki5918ONqRxxsho:MyHtgaq3Llu26wQ9xz4TwKhvbXk8j
                                                                                                                                      MD5:4725DA5F62C1456C206E15ED7FDFBE06
                                                                                                                                      SHA1:C16D38C88FB83C659B0242319588F7A9EF84CB34
                                                                                                                                      SHA-256:BD9167760C89CAC9EBDF0A683C2FA071699F7907B05097CB2F961D66E184A943
                                                                                                                                      SHA-512:DB1B335FA7458D7F6A3FDB4732565B912F79D2A78FCE851982317F27EBDC4E76E85A7BBCC85AA5588FB15567FAA5991C465424F73E8EB1E5542ECF7A487A2A9F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:MZ......................@...................................h...........!..L.!This program cannot be run in DOS mode....$........4...U..U..U... ..U..-q.U..~)..U.....U...=..U..U..W...)..LW..~)..MU...)..U...<..U...-..U.....U.....U.....U......U...-..U...-..U...-...U..U..E.....U.......\......U......U..Rich.U..........................PE..L....e.g...............&.....6........Y...... ....@...........................g......]^...@... .............................d.D.$...................].P)...0I..`..x...T...............................@............ ..t<...........................text............................... ..`OTB................................. ..`.rdata..<.d.. ....d.................@..@.data...p.V...E..&M...E.............@....detourc.....P......................@..@.detourd.....p......................@....rsrc.............................@..@.reloc...`...0I..b...h?.............@..B........................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.inst

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3
                                                                                                                                      Entropy (8bit):0.9182958340544896
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:Fn:F
                                                                                                                                      MD5:8F90D1880964B7959E49E2E8709BE70B
                                                                                                                                      SHA1:49FCD181196FB550373E83D498CAFB2EAEE026CC
                                                                                                                                      SHA-256:5DF748FD8E021B176386CEF8FC4920967EA2C9AB7CA615B013744C9A6614546C
                                                                                                                                      SHA-512:3A3D2DB35C27B6DAA877E28B9D920D8B2CFCEC0DB30A5C897D2F1322540BD855FDD1C9662F119A9468F372F03A6E8334680A8CCDC704BCC93F30D58907913228
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:DDP

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\Galleries\Firewall.db

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5756600
                                                                                                                                      Entropy (8bit):7.9993408015678895
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:98304:rbAhSufpPetrLukQdkGCzQCMTKPbolT+cCdqt1Zd/VGK5UOstmHcGBm/BmOGrWzF:ra9etvQyDtBhPqt1Zd0K6OSm8GcpmO4e
                                                                                                                                      MD5:5CB3266E76064B560277EA280C30A898
                                                                                                                                      SHA1:5059E3287199F0A314A937D32FCFF55342818CA6
                                                                                                                                      SHA-256:F446AC9B9849199D7BC8B21E2B8C1C505974CCC0AFBAB65BF9CA610D106ACACC
                                                                                                                                      SHA-512:4B1B26A533479DFA18B57F9038BB78C68A5FB54789EE4AC253CFF1291DE2EB2FE3BE0FA09773D250A41C53B3C1DCBD44179A5088FA31A1BDFEB8F2FEDF6632B7
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.+>......0.m.s....$.................................1012546698.?=<>+! #eDHKC[ANYqjF\4'2>9z34ZX[Z\\_^.ECBDLGFI|ryz{v}Ctsruuwvy.~z}}w~a`UR\]R^PZnjmlnn..c................o.......................R........................&.......................%..............................................................<>......:698::=<.;! "*%$'OG\NXCMC QPSSUTW.\X[[U\_^urzwwus.FHKJLLON.usrt|wvy........pcbeegfi.njmkgn..................w..................................................................c................S..................u.r.a.v.<.G.h.l.n.m.`.s.U.x.l.y.T0$254"698.<=<=.! #.%T'T)G+M-^/OQ=S6U5W"Y9[.]._+A3C-E*G#I<K.M8O/q.s.ulwvyx{z}.z~a`cbed~fihsjml.k..................................................=..............................................`...................|cxd'yp%)v/bdv{kspvs`a?.l?y.....103.0477.8;:.D._...`D.C....L..I.ebdb..gdjklj<.j.qw..psYFIHSJML.KqprPutw"5*..:*..,!$.?/+.'-S.[.%7....................................................................@.......

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\HelpTopicIds.json

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:JSON data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2485
                                                                                                                                      Entropy (8bit):4.891927318351078
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:TYSHiPgfgFpY07uv97H9OwgIhoI+I8IxIyxH04BEzOGzG6T/8zAvzsFzRzizVzKh:TYSHRdRXjhy+3EjzTGALYJokyGZ
                                                                                                                                      MD5:263B83458EF7864BF99A9B61DED01945
                                                                                                                                      SHA1:C9B419F7D8601EAF496E016529678E48E1ECC67C
                                                                                                                                      SHA-256:DFBC57396B4ED8C1A629F5116CE715B05D91E3F3B97D166E953143D1427C36A2
                                                                                                                                      SHA-512:06DDCE927683B3AFED8B60B9F268CBFE440F5C733EA364E7C07788E096913EDC7D15D87CB71D72F608FE14F01F3535D5D6E64869D2E9508966CA032318C59331
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:{..."Encoding": "xsmenufile_encoding",..."GotoLineChar": "xsmenuview_gotolinechar",..."XmlNamespacePrefix": "xsmenuxml_namespaceprefix",..."XmlSpySendByMail": "xsmenufile_sendbymail",..."XmlSpyProjectProperties": "xsmenuproject_properties",..."XmlSpyGenerateDtdSchema": "xsmenudtdschema_generatedtdschema",..."XmlSpyGenerateJsonSchema": "xsjson_generateschema",..."XmlSpyGenerateSampleXmlJsonFile": "xsmenudtdschema_gensamplexmljsonfile",..."XmlSpyConvertXmlJson": "xsmenuconvert_convertxml2json",..."XmlSpyConvertXmlSchemaJsonSchema": "xsmenuconvert_xmlschematojsonschema",..."XmlSpySettingsAIDialog": "xsmenutools_options_aiassistant",..."XmlSpySettingsFile": "xsmenutools_options_file",..."XmlSpySettingsFileExt": "xsmenutools_options_filetypes",..."XmlSpySettingsEncoding": "xsmenutools_options_encoding",..."XmlSpySettingsEditing": "xsmenutools_options_editing",..."XmlSpySettingsPrettyPrinting": "xsmenutools_options_prettyprinting",..."XmlSpySettingsValidation": "xsmenutools_options_validatio

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\PostSharp.Patterns.Model.dll

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):881664
                                                                                                                                      Entropy (8bit):6.692804515627905
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:Mkk9aXkf40dzsDa7cThcZezRN41jwrreyrXXkopp5v7XQuKX3Aor6Qx3V0U6OAQd:saKgrnewXkopp5jy3Ak6Qx3V0F4
                                                                                                                                      MD5:88E91CFDFA4B6D3741C31B9FCB96DFB4
                                                                                                                                      SHA1:8AC1059B04F32675FDF9F6D8A055C293C042C4E5
                                                                                                                                      SHA-256:2F70FC194FCD522A1309456F36C45B2C7127D4691F5C8E1E1703C108BF53622D
                                                                                                                                      SHA-512:E8B1DD5DD0781A2BCF4F39BC8ABECD4001019CCC4E4E029BD41264A528B0C4BF3EFA6E2CE49189D10135B6ACE423D9A1BF4AD4937A6D0A31E5CA435970DF3864
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........V........................+...................................................@......................................................Rich............PE..L....3g...........!...).....X......V........0............................................@....................................d....P.......................`...[..........................@-......0,..@............0..t............................text...L........................... ..`.rdata..D....0......................@..@.data....b.......V..................@..._RDATA..0....@......................@..@.rsrc........P......................@..@.reloc...[...`...\..................@..B........................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\RootCatalog.xml

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):745
                                                                                                                                      Entropy (8bit):5.054457609544642
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:TMHdffwQKY8i9zfcIpWRtytlKHC1LP4pw6qbwkKyi:2dfR8K0vyZ1Em6qbwkI
                                                                                                                                      MD5:1D3B96D9DDCE700679AC048EE1CEB71B
                                                                                                                                      SHA1:094DD8CE7B65BE13000EF082F18E778686461F2C
                                                                                                                                      SHA-256:3A90D85F1DE54984173FC282A061AC270126B6CE1AD0FDD407D6463DC526DE39
                                                                                                                                      SHA-512:BB94713A577B19D3730C76BD15B61FAD7F3310C3A0B1DE1E67131D33DA57D11CDFF670C49CEA07824BEF2EB9739EF56005DDE01EAB994692AB1694FD1C820835
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:<?xml version="1.0" encoding="UTF-8"?>..<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog" xmlns:spy="http://www.altova.com/catalog_ext" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:entity:xmlns:xml:catalog..Catalog.xsd">...<nextCatalog catalog="%PersonalFolder%/Altova/%AppAndVersionName%/CustomCatalog.xml"/> ... Include all catalogs under common schemas folder on the first directory level -->...<nextCatalog spy:recurseFrom="%CommonSchemasFolder%" catalog="catalog.xml" spy:depth="1"/>...<nextCatalog catalog="CoreCatalog.xml"/>...<nextCatalog spy:recurseFrom="%ApplicationWritableDataFolder%/pkgs/.xsd_cache" catalog="namespace-mapping-catalog.xml" spy:depth="0"/>..</catalog>..

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\Support.sav

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5756378
                                                                                                                                      Entropy (8bit):7.999340938398065
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:98304:qbAhSufpPetrLukQdkGCzQCMTKPbolT+cCdqt1Zd/VGK5UOstmHcGBm/BmOGrWz2:qa9etvQyDtBhPqt1Zd0K6OSm8GcpmO49
                                                                                                                                      MD5:BD54D1044338266E31CFB70AD6317CB1
                                                                                                                                      SHA1:E4C6D3B1C06ADCB2C269058E4E382BF186226824
                                                                                                                                      SHA-256:5126D44DE7597BF37C7C9D0DA3740DF44FFC00D20F7462EBE5AD53112A52596A
                                                                                                                                      SHA-512:0F4FBF6B0D61FB62FC15E20E294AD1047DB04130A45EC7018EEE0E05E8D2DE432A7F11859E68334428AE9CB96448001BDBAC032ABD384EB6F227C8C9199A59C3
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:..j....p.O.e...~...................................1012546698.?=<>+! #eDHKC[ANYqjF\4'2>9z34ZX[Z\\_^.ECBDLGFI|ryz{v}Ctsruuwvy.~z}}w~a`UR\]R^PZnjmlnn..c................o.......................R........................&.......................%..............................................................<>......:698::=<.;! "*%$'OG\NXCMC QPSSUTW.\X[[U\_^urzwwus.FHKJLLON.usrt|wvy........pcbeegfi.njmkgn..................w..................................................................c................S..................u.r.a.v.<.G.h.l.n.m.`.s.U.x.l.y.T0$254"698.<=<=.! #.%T'T)G+M-^/OQ=S6U5W"Y9[.]._+A3C-E*G#I<K.M8O/q.s.ulwvyx{z}.z~a`cbed~fihsjml.k..................................................=..............................................`...................|cxd'yp%)v/bdv{kspvs`a?.l?y.....103.0477.8;:.D._...`D.C....L..I.ebdb..gdjklj<.j.qw..psYFIHSJML.KqprPutw"5*..:*..,!$.?/+.'-S.[.%7....................................................................@.......

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\concrt140.dll

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):257616
                                                                                                                                      Entropy (8bit):6.701518252422076
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:H3RC9MpwQGXL41H9UsWy64Q7WzB1XmrbB1+1FUqHHlsixuOdm12z/Nrv:XMdV4HXmrkRHNuOdjz
                                                                                                                                      MD5:3D0EA6BA3551AEC4717AB2827319A741
                                                                                                                                      SHA1:E1273BA1B3D6CDBF93C99B115EF8ACCD84568718
                                                                                                                                      SHA-256:1573721C06F70D779F5AEBA175C039202069DA15D8526C3CE0C19B8C7FA985B1
                                                                                                                                      SHA-512:BADE3D768BF435C0ADD77BA377866A59146D22E102932FBEAB08FC10B27B9F5BCC5375ED26EE48847FB57649D706FF2AD6192895780C6924E34CAA7FCCA3514A
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........z[.s)[.s)[.s)..r(Y.s)R..)Q.s)].r(^.s)[.r).s)].w(P.s)].p(\.s)].v(..s)].s(Z.s)]..)Z.s)].q(Z.s)Rich[.s)........PE..L...+............."!...&.&...x..............@......................................Jc....@A.............................K.. ...........................PP.......*...;..T...........................(;..@............................................text...\$.......&.................. ..`.data....4...@...2...*..............@....idata...............\..............@..@.rsrc................n..............@..@.reloc...*.......,...r..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\file_dirdif.ico

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:MS Windows icon resource - 6 icons, 16x16, 16 colors, 16x16, 8 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):19030
                                                                                                                                      Entropy (8bit):3.716507862178767
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:sgRODsZW6t7O/PW6DcrX1xzM1NYTmbHmEV68Y/O/c3mAL+y4EAb:s2OoZ7O3+xRwAL+ysb
                                                                                                                                      MD5:9323BC80F5A18A056BCBD10831D91820
                                                                                                                                      SHA1:2EF7269B341D18E80247F81C81DAA0D740E31FCE
                                                                                                                                      SHA-256:34F7C8571EC1618EF30A9C9B0E82779C02AC8033301120EE321DF92685D8A26A
                                                                                                                                      SHA-512:E3B1DA91310A0CDF1E99D41D415CC41D4546F8BFBC6F6FF9477CF780DE18A90F988DC0F6F2E36DFB15E521032209ACA65E09A40CA0345C8EB149BB7E722818D9
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:..............(...f...........h....... .................... .h....... .... .........00.... ..%...$..(....... ...................................................................................................wwp....wwwwp...ww.uP...ww..W...w...U...ww..U...w.XUU...w..uW...uwXUP...uUUUp....uUp.........................................................................................................(....... ...........@........................1t...............................?}.................................................k...H...%............z...b...Js..2P.............k...Hs..%W...U...I...=...1...%s...P.............kk..HH..%%....................s...P.............k..sH..W%..U...I...=...1...%.s...P............k...H...%..........z...b...J.s.2.P..............k...H...%..................s.s.P.P..............k...H...%............z..5v.s.J.P.2.............n...Hs..%W...U...I...=...1.s.%.P..............kk..HH..%%.................s...P................k..sH..W%..U...I...=...1..s%..P.....

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\file_filedif.ico

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:MS Windows icon resource - 6 icons, 16x16, 16 colors, 16x16, 8 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):19030
                                                                                                                                      Entropy (8bit):3.6581828158068537
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:sLPODsZW6Ic7O/ZW6BvX11/g+NYTmWdmqV68Y/O/c3m0o7vCEAb:sLPOox7OxNZXw0o7vWb
                                                                                                                                      MD5:BC7F04B672921472EF873A8BA8B43D17
                                                                                                                                      SHA1:F649DC3FA6E10551C70B56B77284242B7CB9A243
                                                                                                                                      SHA-256:5993FF64F1BE29483E7DAC836C052F7966639C9E1BE674576D1526F09B21BE1B
                                                                                                                                      SHA-512:9E49ECE04919105AFFCBEDAED1CE184E9610C82620B6D8CDD6A21FF6BBD383F068DE31E673C7CBD4DE44630CF438A621DD4883D340C77B1C32B900B2B8E06509
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:..............(...f...........h....... .................... .h....... .... .........00.... ..%...$..(....... ...................................................................................................wwp....wwwwp...ww.uP...ww..W...w...U...ww..U...w.XUU...w..uW...uwXUP...uUUUp....uUp.........................................................................................................(....... ...........@........................1t...............................?}.................................................k...H...%............z...b...Js..2P.............k...Hs..%W...U...I...=...1...%s...P.............kk..HH..%%....................s...P.............k..sH..W%..U...I...=...1...%.s...P............k...H...%..........z...b...J.s.2.P..............k...H...%..................s.s.P.P..............k...H...%............z..5v.s.J.P.2.............n...Hs..%W...U...I...=...1.s.%.P..............kk..HH..%%.................s...P................k..sH..W%..U...I...=...1..s%..P.....

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\icudt58.dll

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):26217296
                                                                                                                                      Entropy (8bit):6.145231105211082
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:393216:6yAzEe25BzFGsiXUx4YhMWljacUl2nAg9WbkntyemS/wo47Tt930PpUxQFV5eitR:0j2sj2
                                                                                                                                      MD5:169A463A9455F425DB2FA780A4D0D09D
                                                                                                                                      SHA1:20F595E9211407EAB1307295E950CE8FC8D0CC47
                                                                                                                                      SHA-256:5F4863FB6528C22BAC7EAC7D61F28D77C1C373D0A63A9654EB98DF6855E874D1
                                                                                                                                      SHA-512:90917354940A9275089DCCC9C129EB4B29684181894C43DD445F10922E6E5251C69BC980F1D079C2B6659E74AAA64E758ED5308C5F5DBA8C56F406834CED71D1
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=.kS..kS..kS..kS..kS..5S..kS..5...kS..5Q..kS.Rich.kS.PE..L....h.[...........!...............................J.................................]....@.........................p..L..............................P)..........P...............................................................................rdata.. .........................@..@.rsrc..............................@..@...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html .d...$k......4k.. ...Gk..p...Zk......kk..P....k.......k..p....k.......k... ...k... ...k...q...k..`q...k..Pr...l...r.."l...r..5l...t..Hl...t..[l..Pu..nl...u...l..0v...l...w...l...x...l..`y...l...y...l...{...l.. |...m..@~...m......,m..@...?m......Rm.....em......xm..P....m.......m.......m..P....m.......m..P....m.......m.......n..0....n..0...2n..

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\icuin58.dll

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1853264
                                                                                                                                      Entropy (8bit):6.683305360980674
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24576:6jotJw5htgCvLiFo/cR8miHghwAVrz+Xo6f6JMGeKpwHmKs:5tJw5ht7Loo/cqmY5AVr1Txe7s
                                                                                                                                      MD5:EF34C5E58E3E617B9529F498AAADC535
                                                                                                                                      SHA1:4FC1CE77A5EC9D3138A143049D8532C8D54138D0
                                                                                                                                      SHA-256:DA9E7BB382F40DD0F513D3F2CBB876AC4768853D60509886C0FE262911194952
                                                                                                                                      SHA-512:68E3D03D2E602173F257A62243419A593E0B58917CD33D725BEFBFDCFE7C0DB886479845B3B4FEC1CBD9395AE79A30A68A0CA38B3785A71933187E62BEB78934
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)...H...H...H...0...H... ...H... ...H... ...H... ...H... ...H...,...H...H...K... ...H... ..&H... ...H... c..H...H...H... ...H..Rich.H..................PE..L....h.[...........!.....B...........M.......`.....J.........................`......!C....@.........................@...@....'....... ..@...............P)...0...)...O..T...........................XO..@............`...............................text....@.......B.................. ..`.rdata..(X...`...Z...F..............@..@.data....U.......L..................@....rsrc...@.... ......................@..@.reloc...)...0...*..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\icuuc58.dll

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1273168
                                                                                                                                      Entropy (8bit):6.720729444538501
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24576:JJBEyK3E7XPEFs5dZvv3wxEQ8z3MkknPrMkkkskkkkkRkkkkkkkkkkkkkkkkkkkf:JJBEyKAXf5d2x6vd
                                                                                                                                      MD5:25D1D25E5FA624F6719D84D298B623F4
                                                                                                                                      SHA1:CD1A0F149AD047349BDE137B05F27143E1961700
                                                                                                                                      SHA-256:C6C89D777220A3D62FB0F32DA2818FED0C8BCE5A5AC19BC69CAB2FEEACEAF96E
                                                                                                                                      SHA-512:9258BC211149269627652A4925B0771B80AEF070C851F682D24AE00AA6D0609056B940B3815584CAB8AD723D4A732F9437BD8B57F354C639398DEF6E364512F6
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........l...l...l....$..l......l......l......l......l......l......l...l..l......l.....hl......l...H..l...l ..l......l..Rich.l..........PE..L....h.[...........!.....4...................P.....J................................}.....@.........................@....%..............@............D..P)......<i..0H..T............................H..@............P...............................text....2.......4.................. ..`.rdata..X....P.......8..............@..@.data...............................@....rsrc...@...........................@..@.reloc..<i.......j..................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\jhelp1.1.dll

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):19007536
                                                                                                                                      Entropy (8bit):6.695946566681894
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:393216:3YB7yL7lQkdNyp0q70mCEZ8fmf2DuNp6mVOU3WfkT3ZMxXsp88SmgaIALdLmlkYz:IB7k7lK3tCEff2n
                                                                                                                                      MD5:3D8CF3C555349DA1E690B115532C2388
                                                                                                                                      SHA1:0892A7C9AC32E918CF228D3272BAD000828B792F
                                                                                                                                      SHA-256:4EC2B0E2AC29FDDFCF205CE31AACDF7ED26AFB405BB282DB69A04024CC81276F
                                                                                                                                      SHA-512:4A170D9E938E20680E9029C9612B55D5B1DF1D6875178A8246117F0D3DC89433AAF53EEE5A17899581CA6E86E64E70DF2975949BDC350B3C5B90C4C01C9E2D12
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:MZ......................@...................................X...........!..L.!This program cannot be run in DOS mode....$.........V..8..8..8..;..8..=...8..+...8..+<..8..?..8..+;..8..+=.8.0-<.8.0-=...8.*=.u.8..8..8.*<..8.*=..8.*<..8..<...8..9..8..9.-.8.*1..8.*8..8.*...8.*:..8.Rich.8.........................PE..L....3g...........!...).....h......t.......................................7......%"...@.............................(...8...,.....1.8.............!.0.....1..9..........................@X...... W..@...........................................text...@......................... ..`.rdata..:.a......a................@..@.data...............................@..._RDATA...'....1..(..................@..@.rsrc...8.....1.....................@..@.reloc...9....1..:..................@..B........................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\libpng16.dll

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):246608
                                                                                                                                      Entropy (8bit):6.82880321579517
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:ylD2j2inC/u3q+vaQXbjVeSFBKsai7nHh:OKaIqdOReSvKsd7B
                                                                                                                                      MD5:9112F8724F0036BC9354F1AE25856344
                                                                                                                                      SHA1:CAD008D2D84AC173201105DB27A9DF29B66A5DEA
                                                                                                                                      SHA-256:053A61026FC585261A0C6C66D8C9ADA80416AA812261FA7D591937C6737D26D9
                                                                                                                                      SHA-512:021E70F07225DEEB28B632A5C688709548876131FA7FF58311C72489B5621A514A44707E27CA16E4ED283ABEBFE18653653499A345D811A0CCC355205ECDF3DD
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........50\XT^.XT^.XT^.Q,..VT^..(_.ZT^..,_.[T^.XT_.oT^..([.TT^..(Z.RT^..(].ZT^..(V.BT^..(^.YT^..(..YT^.XT..YT^..(\.YT^.RichXT^.................PE..L...).Pf...........!..."............=...............................................v.....@.........................0q......$...........................P)......@....l..p...........................(l..@............................................text............................... ..`.rdata.............................@..@.data................z..............@....rsrc................~..............@..@.reloc..@...........................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\mfc140u.dll

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4869496
                                                                                                                                      Entropy (8bit):7.023063738664024
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:98304:2Wb8RxUQ2gvGuxzgCkTVlzrrqkijR2e4FLOAkGkzdnEVomFHKnPLzr2:2WyTVeT7qkijRr4FLOyomFHKnPLu
                                                                                                                                      MD5:EC9829B23C2E5A7029AC2F9F81924EFA
                                                                                                                                      SHA1:9B7400EE4282E4655C0CD5F54C41D3AE14095434
                                                                                                                                      SHA-256:28EB2E4DE14C90B303E13EAFF2E65A4D57E4F5E220BD34CEB858D745A02BDF94
                                                                                                                                      SHA-512:7B2831CA2CDE03F3F12240AE5F18386BBC1D6DA2B66A550515800E8A1947BC64F077EAF498E63CC3E1CAF39986CFEEB886F43562C0D451D8C54C196F4AF58662
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W.M.9.M.9.M.9..<.L.9..>.L.9..=.W.9.D...Y.9.Ki8.O.9.Ki=.A.9.Ki:.G.9..8.^.9.M.8..9.Ki<.Z.9.Ki0...9.Ki9.L.9.Ki..L.9.Ki;.L.9.RichM.9.........PE..L...z............."!...&../..p.......*+......./...............................J.....V.J...@A........................P...L.....0......@1.`.............I.xO....F.\.......T............................5..@.............0..............................text...../......./................. ..`.data........./......./.............@....idata..JS....0..T...p0.............@..@.didat.......01.......0.............@....rsrc...`....@1.......0.............@..@.reloc..\.....F......`F.............@..B................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140.dll

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):446840
                                                                                                                                      Entropy (8bit):6.690279428020546
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:5mtyWf0sTWRzbpT/tD5YpsGx30h7whUgiW6QR7t5s03Ooc8dHkC2es98R:A0HsTWRzbp5D5YpsM3A7v03Ooc8dHkCh
                                                                                                                                      MD5:C766CA0482DFE588576074B9ED467E38
                                                                                                                                      SHA1:5AC975CCCE81399218AB0DD27A3EFFC5B702005E
                                                                                                                                      SHA-256:85AA8C8AB4CBF1FF9AE5C7BDE1BF6DA2E18A570E36E2D870B88536B8658C5BA8
                                                                                                                                      SHA-512:EE36BC949D627B06F11725117D568F9CF1A4D345A939D9B4C46040E96C84159FA741637EF3D73ED2D01DF988DE59A573C3574308731402EB52BAE2329D7BDDAC
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O.$...w...w...w.\.v...w.V@w...w..v...w...w...w..v...w..v...w..vD..w..v...w.,w...w..v...wRich...w........................PE..L....4.w.........."!...&.....z...............0.......................................=....@A.........................S......8c..........................xO.......4...U..T...........................8U..@............`..0............................text...b........................... ..`.data....&...0......................@....idata..0....`.......0..............@..@.rsrc................H..............@..@.reloc...4.......6...L..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_1.dll

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):21384
                                                                                                                                      Entropy (8bit):6.470094803230791
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:Y32E5mpdhYQjHy3d5Wcs5gWI3KLHRN7QiUJ/AlGstm4s:YmxQSyUyAQX/xEv
                                                                                                                                      MD5:C946A9E4170F6B16D25C822DA616DC6A
                                                                                                                                      SHA1:F602D23DB756F9C3A058D3B7186D24480E05790F
                                                                                                                                      SHA-256:65BDADB5562B9473471740B1DCD8B064459A40D71A1A11FC5AEDAA855FE7635A
                                                                                                                                      SHA-512:916CAD8B1E38B2B15AB836844C5CC9D36B212831B2F553198054FE9CB5CD77AECD544CAC8040000337CEFDA9B15BF95E8903F36A9C1BEB7D579CFFF670445617
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(D.vl%.%l%.%l%.%.U.$n%.%e]/%h%.%>P.$f%.%>P.$m%.%l%.%D%.%>P.$i%.%>P.$x%.%>P.$m%.%>PC%m%.%>P.$m%.%Richl%.%........................PE..L...J|.a.........."!.........................0...............................p......#,....@A.........................*..J....@..x....P...............0...#...`..t...X...8...............................@............@...............................text...J........................... ..`.data...8....0....... ..............@....idata.......@......."..............@..@.rsrc........P.......(..............@..@.reloc..t....`.......,..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_2.dll

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):166264
                                                                                                                                      Entropy (8bit):6.800892494270331
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:UZqJu0h1iCPZYtIzss2wizpHB7RoSxvQ02bnt56CY2G1zVSdqXCvjC:UZqU0hStIzrQqht567ZSY+jC
                                                                                                                                      MD5:06DEEA1786C951D3CC7E24A3E714FF03
                                                                                                                                      SHA1:9906803CEDB8600C5E201AE080155BEEBD2902B2
                                                                                                                                      SHA-256:EAC4C95CD7B013E110F2CF28C08342126FE1658EF16010541F05B234D23272DD
                                                                                                                                      SHA-512:28CAA59DEEC92E417468BB0244DA2E60FAF6482EF608258E99FA47F59D3CD0EDEE69155E913034AC7B5E1AFC88DBF8F6F97058B75F0CBC6E4C045E1EE6EAADA0
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%>..a_a.a_a.a_a../`.c_a.h'.m_a.3*e.j_a.3*b.c_a.a_`.._a.3*`.d_a.3*d.r_a.3*a.`_a.3*..`_a.3*c.`_a.Richa_a.................PE..L...J|.a.........."!.....*...<......0........@......................................:.....@A.........................3..@....Q.......`...............f..x#...p..X....\..8............................\..@............P...............................text....).......*.................. ..`.data...(....@......................@....idata..`....P.......6..............@..@.rsrc........`.......D..............@..@.reloc..X....p.......H..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_atomic_wait.dll

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):52104
                                                                                                                                      Entropy (8bit):5.1488364199396335
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:ZWlTFwTSloNYcSNXR5cHDIABta/FWFvug0yiT3UN9imfI/NVW0jdT40Fzenw3GDx:GVT9kNWNLTXwwWDpQJs10cM8dAgT7
                                                                                                                                      MD5:FFB8C73E6E3769D5D8715E694707C792
                                                                                                                                      SHA1:F7D63FA41C34D7B75CD70D72E317DB148F3D50CA
                                                                                                                                      SHA-256:1DD7D3417FFFC321A67AAE2CA7E89A7D75203F8A3586CD829C56766F313F7931
                                                                                                                                      SHA-512:61E83F71A388FD1176665225CC84C32FAC40663376629ADBE9B47CD9E69DDADC43FEC021B07062585AF80811E8F3E0479314B2277E6CB8617645FD304FAE88AB
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Uz.;).;).;)*.:(.;)...).;)..?(.;)..8(.;).:)..;)..:(.;)..>(.;)..;(.;)...).;)..9(.;)Rich.;)........PE..L...J|.a.........."!.....H..........PC.......`............................... ......,@....@A.........................Q..D...............0................#......x.......8...........................0...@............................................text....F.......H.................. ..`.data........`...B...L..............@....idata..............................@..@.rsrc...0...........................@..@.reloc..x...........................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_codecvt_ids.dll

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):18816
                                                                                                                                      Entropy (8bit):6.421430337596372
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:5DSdV3lIjIjP2dhWiOEWs/KLHRN7kxjlGsgl/Z:5c32jmdmAT7/Z
                                                                                                                                      MD5:EF6C5EEB8B36D941E6991E6981CDB88A
                                                                                                                                      SHA1:E21989951B745B290F143DD63F94BD4399A74284
                                                                                                                                      SHA-256:3859B4A5A5C0A30CEE15C188F678E09D040541C221999D926955B49E8779E675
                                                                                                                                      SHA-512:12CB0C4E4DE73600E262B6B6D0448FB050BD4B673D86265B4033B253EA3864DDA4F004F6344AAE5BED7A15D5717531F7B18374E47FF4258E027EE7B896F6F406
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Mt.T.............e.......mv.............[`......[`......[`......[`......[`......[`......[`......Rich....................PE..L...J|.a.........."!................P........0...............................p.......)....@A.........................!../...l@..P....P..0............&...#...`..H...D...8...............................@............@..h............................text............................... ..`.data........0......................@....idata..t....@......................@..@.rsrc...0....P......................@..@.reloc..H....`.......$..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\sqlite3.dll

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1266512
                                                                                                                                      Entropy (8bit):6.76665912939983
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24576:HKJBFjUNt+dLi2QnOFiVfBZngLrB2rOIIuYYEqDhrwVW8WRU:qlutNvOFizZgXBcRYYEccWrRU
                                                                                                                                      MD5:AEC1AB9CC272E184C7E896E169786B64
                                                                                                                                      SHA1:32E85DABECC470B6995EFAF83F8BF1D7E78B4916
                                                                                                                                      SHA-256:5C5E4128AFE870F4B830AFA30BE42B4ABD8C4BD8229A9BACF6B24A4081F9B313
                                                                                                                                      SHA-512:E059C621A44AAC97446F41ABB8B6F61D2C12D352F3F87451511A0F87E587BF1C1EBE0A56B074E36BDBAE5A7DF94EAB102C5C0C8BED37FBAEE715181C237840CF
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......vcf.2..Z2..Z2..Z;z.Z>..Z}~.[0..Z}~.[>..Z}~.[8..Z}~.[9..Zyz.[1..Z2..Z...Z.~.[3..Z.~.[3..Z.~.Z3..Z.~.[3..ZRich2..Z........PE..L....L.e...........!...".....8...............................................p......z.....@.........................05...$...Z.......................*..P)..........'...............................&..@............................................text............................... ..`.rdata...U.......V..................@..@.data...lH...p...D...N..............@....rsrc...............................@..@.reloc.............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\templates\report.html.template

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4428
                                                                                                                                      Entropy (8bit):4.79153248777129
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:4T7rK/xQNukj/5+B8XM3n/xWn/xX5N1UzEe7H:4T72mNuCaY8zH7H
                                                                                                                                      MD5:680083D8087569CC23B481D527C764C5
                                                                                                                                      SHA1:5A4BC210EBEFEF5494DBB5A97DCBC66A5988C464
                                                                                                                                      SHA-256:894C1A18B17E9FB76684147F58785AAFE39089E333ED766267E9F6A3D3AC8B7F
                                                                                                                                      SHA-512:191BA759F26A02D8A2A80CC868148CC010042E5EF127FB05A7C24F6C538A80DD141E5D096FD8AB25AFD76112D70EDD9670A042CCF46C430329EAF7CA530B2241
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.<!DOCTYPE html>..<html lang="en">....<head>.. <meta charset="utf-8">.. <title>{{localized_title}}</title>.. <style>.... :root {.. --numColumns: {{#middle_side}}3{{/middle_side}}{{^middle_side}}2{{/middle_side}};.. --leftColumnContent: 1;.. {{#middle_side}}.. --middleColumnContent: 2;.. --rightColumnContent: 3;.. {{/middle_side}}.. {{^middle_side}}.. --rightColumnContent: 2;.. {{/middle_side}}.. }.... div.legend {.. font: 1em Consolas, "Liberation Mono", Menlo, Courier, monospace;.. padding-top: 0.34em;.. padding-bottom: 0.34em;.. width: 100%;.. display: grid;.. grid-template-columns: 1fr 1fr 1fr 1fr 1fr;.. vertical-align: middle;.. }.... span.legend-caption {.. grid-column: 1/5;.. grid-row: 1;.. text-align: left;.. font-weight: bolder;.. }.... span.legend {.. grid-row: 2;.. text-align: center;.. }.... #text-comparison-result,.. #xml-compariso

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\ucrtbase.dll

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1170904
                                                                                                                                      Entropy (8bit):6.805826320677691
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24576:+WiAihjcDBXUw9y079gzyVFExlfz+pq12S5qyrmcvIZPoy4spcFOo:NiAihjmXfgzyVFEWc2SEyApcco
                                                                                                                                      MD5:126FB99E7037B6A56A14D701FD27178B
                                                                                                                                      SHA1:0969F27C4A0D8270C34EDB342510DE4F388752CD
                                                                                                                                      SHA-256:10F8F24AA678DB8E38E6917748C52BBCD219161B9A07286D6F8093AB1D0318FA
                                                                                                                                      SHA-512:D787A9530BCE036D405988770621B6F15162347A892506CE637839AC83AC6C23001DC5B2292AFD652E0804BD327A7536D5F1B92412697C3BE335A03133D5FE17
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..\...\...\......\...]...\.......\...\...\..._...\...Y...\...R...\...X...\.......\...^...\.Rich..\.........................PE..L.................!................0................................................b....@A................................t".......@...................!...P......P...T...........................p...@............ ..p............................text...P........................... ..`.data...<...........................@....idata....... ......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\vccorlib140.dll

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):267656
                                                                                                                                      Entropy (8bit):6.547035182798101
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:+9WZ4GcvxHdmJOHpxyBIBaQ0I/Quljl1mn48MHnlwgSmiSb:+VFTmJO/BH0IYuljK48ZgS0
                                                                                                                                      MD5:2FB4C4168E379F13B15D4E299ECF3429
                                                                                                                                      SHA1:4C6702254054F288BEB49ADCDD6317575E83374D
                                                                                                                                      SHA-256:8CD7BE490AD502C9980CB47C9A7162AFCCC088D9A2159D3BBBCED23A9BCBDA7F
                                                                                                                                      SHA-512:8BC80A720CDC38D58AB742D19317FBE7C36CFB0261BB9B3D5F3B366459B2801B95F8E71FB24D85B79F2C2BC43E7EB135DAB0B81953C7007A5C01494C9F584208
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Hb.:...i...i...i.{.i...i^v.h...i^v.h...i^v.h...i^v.h...i.s.h...i...i...i^v.h...i^v.h...i^v.i...i^v.h...iRich...i................PE..L....~.a.........."!.........................0............................... ......Gp....@A........................@....=...............................#......TX..\J..8............................J..@............................................text...[........................... ..`.data....o...0...l..................@....idata..............................@..@.rsrc...............................@..@.reloc..TX.......Z..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\vcruntime140.dll

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):91104
                                                                                                                                      Entropy (8bit):6.919609919273454
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:wd5wd+ywOpmlhcsrG4ckZEzH3qDLItnTwfVkC2KecbGJ13yd+zTNFZFzK:wdJywOpmlPrHI6D+nTwvlecbG/3y8XG
                                                                                                                                      MD5:9C133B18FA9ED96E1AEB2DA66E4A4F2B
                                                                                                                                      SHA1:238D34DBD80501B580587E330D4405505D5E80F2
                                                                                                                                      SHA-256:C7D9DFDDBE68CF7C6F0B595690E31A26DF4780F465D2B90B5F400F2D8D788512
                                                                                                                                      SHA-512:D2D588F9940E7E623022ADEBEBDC5AF68421A8C1024177189D11DF45481D7BFED16400958E67454C84BA97F0020DA559A8DAE2EC41950DC07E629B0FD4752E2F
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................2........I..............o.......o.......o.......o.......o%......o......Rich............PE..L....s............"!...&............P........................................P...........@A........................@........ .......0...................O...@.......$..T............................#..@............ ...............................text...T........................... ..`.data...d...........................@....idata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Temp\s548.1

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe
                                                                                                                                      File Type:very short file (no magic)
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1
                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:v:v
                                                                                                                                      MD5:68B329DA9893E34099C7D8AD5CB9C940
                                                                                                                                      SHA1:ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC
                                                                                                                                      SHA-256:01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B
                                                                                                                                      SHA-512:BE688838CA8686E5C90689BF2AB585CEF1137C999B48C70B92F67A5C34DC15697B5D11C982ED6D71BE1E1E7F7B4E0733884AA97C3F7A339A8ED03577CF74BE09
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.

                                                                                                                                      C:\Users\user\AppData\Local\Temp\s548.2

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe
                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2
                                                                                                                                      Entropy (8bit):1.0
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:y:y
                                                                                                                                      MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                                      SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                                      SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                                      SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:..

                                                                                                                                      C:\Users\user\AppData\Local\Temp\s548.3\data.0

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):130
                                                                                                                                      Entropy (8bit):2.6212307144865425
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:xNIDzk+xlliplltq8QRXe//w:x0zjsplK8Ee//w
                                                                                                                                      MD5:647E8E57755CF2ADA12589060C50C079
                                                                                                                                      SHA1:A7DA88301FE4A32AAA36FDC216F743A9FBE557EB
                                                                                                                                      SHA-256:6E45A40F910A85232E711D528C16B33956A3212CAC414C3B7DDDCCF2856C64EB
                                                                                                                                      SHA-512:EC0D03B7950D82D58E8F36724D9D072C82ED943DECD82F68AA94134F5A334B32F11726B83B8A1936A84CC8018D8999FC0AE29EF2371CF7F5DACC47BA06C9BC6B
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:ADIOS-BP v2.9.2 Data............292.............................[PGI>.......n..Output......1..................................PGI]

                                                                                                                                      C:\Users\user\AppData\Local\Temp\s548.3\md.0

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):134
                                                                                                                                      Entropy (8bit):2.3816183899920396
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:xNIDiijIxll0lbqQRVQRDshtll:x0iVeGEVnh
                                                                                                                                      MD5:110090F60E6DA1EBD8C003DD4A8EFE22
                                                                                                                                      SHA1:DC592E5FB12B34413CBD1FA8BDD6B8DE063B6E3F
                                                                                                                                      SHA-256:9A74DE2A2AFA6919AFC2F30A0B046D929DBBBE8786E7F70B1C9C42304C9252A9
                                                                                                                                      SHA-512:8870D0C11A04D1641016EAD4D27FFDF4CA4D0C8EC5A031DE0439EF72AE5D2DE92A8FC62DD9B54C1AA76D5E03D7A36D9939429087FDE7B8271FA3EB22D99F5EB4
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:ADIOS-BP v2.9.2 Metadata........292.................................................Outputn......1....@...............................

                                                                                                                                      C:\Users\user\AppData\Local\Temp\s548.3\md.idx

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):128
                                                                                                                                      Entropy (8bit):2.381368203576206
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:xNIDV7utfWxll0ldll5lnlrlUl:x0R6eeK
                                                                                                                                      MD5:46082A358DE4BD6B83D0E17960C318E5
                                                                                                                                      SHA1:6C3F6A4DD096048CD0B09CCF23EACA6272481A3D
                                                                                                                                      SHA-256:23123D9614BC0D68206F2985CB25DEB8C6EE6C87CF040A2DBE5E55644A575EB3
                                                                                                                                      SHA-512:01697C69BA75342AA5A115AED5A8B718DCF2B3434052DBD7B28403F353434BDF713C429940E0744D6572C6E74617F110A75652EA54D992966E05BE18DE257891
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:ADIOS-BP v2.9.2 Index Table.....292.............................................@.......n.......z...............[.?g............

                                                                                                                                      C:\Users\user\AppData\Local\Temp\s548.3\profiling.json

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe
                                                                                                                                      File Type:JSON data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):395
                                                                                                                                      Entropy (8bit):4.782832846794636
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:LHEOowxP9Eyuy0gfTkt9tHzLlPuIgX/or:zBpl2y23tTRPRnr
                                                                                                                                      MD5:348E40D2CC54E91A71ED79EF81CBCFDA
                                                                                                                                      SHA1:AA5A26E289F9D0A27F4B884A561619470328532E
                                                                                                                                      SHA-256:2BDFE20ABBCB207522C167B95359583D11E382B44A164E310AA27613AD1B03C0
                                                                                                                                      SHA-512:2C6006956FBDC689E45E6FF4CDDE80CFFD2EE1AAE095FDB31026C67BAA8567F3D3B545F67C15AEA3B303A780D4F4ED8D25DD2214B69D89544A6DE9A21F27FD84
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:[.{ "rank": 0, "start": "Thu_Nov_21_06:38:49_2024", "threads": 1, "bytes": 130, "aggregation_mus": 0, "buffering_mus": 197, "memcpy_mus": 0, "minmax_mus": 0, "meta_sort_merge_mus": 126, "mkdir_mus": 439, "transport_0": { "type": "File_fstream", "open_mus": 538, "write_mus": 32, "close_mus": 47255}, "transport_1": { "type": "File_fstream", "open_mus": 184, "write_mus": 11, "close_mus": 0} }.].

                                                                                                                                      C:\Windows\Installer\4f22aa.msi

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: MotiveWave Proffesional, Author: MotiveWave Software, Keywords: Installer, Comments: This installer database contains the logic and data required to install MotiveWave Proffesional., Template: Intel;1033, Revision Number: {AE533901-3C2C-472E-962D-EC625A769D04}, Create Time/Date: Tue Nov 12 16:50:30 2024, Last Saved Time/Date: Tue Nov 12 16:50:30 2024, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):44130304
                                                                                                                                      Entropy (8bit):7.998958277200641
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:786432:Ik4FDMyBJdSbNA0Dmrv+XkyxQ+wFyz1thYPATnoYELCw:VkncYTRGyPqoLCw
                                                                                                                                      MD5:C6482889FE38AB6FAC54F0B220AC5407
                                                                                                                                      SHA1:0A69FBDE5B864D04AC9C28E2361B2D2E684C8F38
                                                                                                                                      SHA-256:0C70A985493B30EDDA772A39D108743E11B52569BCCBB8E5B48A271765FB998D
                                                                                                                                      SHA-512:7E952A053C54CFD5DCC3854459AC53CCBF56880E4978030F32F55D433F545002683FC1A43A0E0D919F1B8608E84DA72C7C1FA0B575171C91CA1D75048BEE8934
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:......................>.................................................................................... ...$...(..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Windows\Installer\4f22ac.msi

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: MotiveWave Proffesional, Author: MotiveWave Software, Keywords: Installer, Comments: This installer database contains the logic and data required to install MotiveWave Proffesional., Template: Intel;1033, Revision Number: {AE533901-3C2C-472E-962D-EC625A769D04}, Create Time/Date: Tue Nov 12 16:50:30 2024, Last Saved Time/Date: Tue Nov 12 16:50:30 2024, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):44130304
                                                                                                                                      Entropy (8bit):7.998958277200641
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:786432:Ik4FDMyBJdSbNA0Dmrv+XkyxQ+wFyz1thYPATnoYELCw:VkncYTRGyPqoLCw
                                                                                                                                      MD5:C6482889FE38AB6FAC54F0B220AC5407
                                                                                                                                      SHA1:0A69FBDE5B864D04AC9C28E2361B2D2E684C8F38
                                                                                                                                      SHA-256:0C70A985493B30EDDA772A39D108743E11B52569BCCBB8E5B48A271765FB998D
                                                                                                                                      SHA-512:7E952A053C54CFD5DCC3854459AC53CCBF56880E4978030F32F55D433F545002683FC1A43A0E0D919F1B8608E84DA72C7C1FA0B575171C91CA1D75048BEE8934
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:......................>.................................................................................... ...$...(..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Windows\Installer\MSI2B94.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):11640
                                                                                                                                      Entropy (8bit):5.703982462286821
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:4m32zxwXSbhGQFIKYA1vbWhjJmqOWTlTMXM247LRnl3rmkYNjg+6jAHVoeaoaTUY:4mfSdGQFIK+mXWC6Bl3Qj60CeZWr
                                                                                                                                      MD5:AB850096F91AF156F17602DDD016E03B
                                                                                                                                      SHA1:85A4E079F0E85C566379214B2D339384DF04345D
                                                                                                                                      SHA-256:9CB0EF1CD00A43F61DDD93F9908BB1940419CFC765023760C619330D26B57F90
                                                                                                                                      SHA-512:5258C57E8973129F764D156A3541A1950D3EB4A5FA51A7597D21B808FC1A361EDA7201272BCA132E668C5CE3D7677889D56E13686D2D727C71585064CBDCF63D
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...@IXOS.@.....@.)uY.@.....@.....@.....@.....@.....@......&.{494D20A3-04AB-4FD6-8901-F174670D563F}..MotiveWave Proffesional..1.e.msi.@.....@.....@.....@........&.{AE533901-3C2C-472E-962D-EC625A769D04}.....@.....@.....@.....@.......@.....@.....@.......@......MotiveWave Proffesional......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{E25DC234-7628-6376-8C4F-A0A9098FCA45}H.C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\Asset.wav.@.......@.....@.....@......&.{D68C2780-F9C3-81E8-0F41-7C694D8990E4}J.C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\Catalog.xsd.@.......@.....@.....@......&.{CAB78203-16F2-2578-2018-CE2829DF386C}Q.C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\CES_PlugInHost.dll.@.......@.....@.....@......&.{3F182DF9-CF16-E26C-D6D5-EEEC3DE9133D}L.C:\Users\user\AppData\Local\Programs\MotiveWave Prof

                                                                                                                                      C:\Windows\Installer\SourceHash{494D20A3-04AB-4FD6-8901-F174670D563F}

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):20480
                                                                                                                                      Entropy (8bit):1.1614995561050092
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:JSbX72FjkAGiLIlHVRpqh/7777777777777777777777777vDHFq+UyXMkCpZl0G:JKQI56xTZnF
                                                                                                                                      MD5:9DE509D041D631D2676752247A912FCD
                                                                                                                                      SHA1:AA42E5B47AF2594EFC7E6C10ECB71E37C3A5BB2E
                                                                                                                                      SHA-256:348F4F689D032B1DE1BD57B6ED123572068665B7208D5B39F7F4421CD1B67961
                                                                                                                                      SHA-512:A1336359DE9B80876115EB66817CE1D7F9727F11D62A628909B7DB39841A999745755EB04C30B92EACA08158B3797C6E05B00F907A616EB48428759D4F6834D8
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):20480
                                                                                                                                      Entropy (8bit):1.5004657568724995
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:gG8PhpuRc06WXOgFT5mDsGzdS5frlsGzdSIvK:mhp1uFTQ/W2
                                                                                                                                      MD5:F247A6317273633912BB859A67666C42
                                                                                                                                      SHA1:1609089E5DA95702C4A78FEB2597064EED7C1039
                                                                                                                                      SHA-256:C39DF4CC92FEE3E9219C15DEE1428092413B627B9A27EFD952A5C546C93A4ABB
                                                                                                                                      SHA-512:5B3558260BF598959A0DEAABA277C592772201AC51BE28C69AF2528173885D42565012CD28472082E2F18437948CAFC3D92F76F5DAB7B08B2866C5FFE911741C
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):364484
                                                                                                                                      Entropy (8bit):5.365500848314247
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgau8:zTtbmkExhMJCIpEH
                                                                                                                                      MD5:91AA16301B75C80D11AC8F38ABE8EF5E
                                                                                                                                      SHA1:F7C0E38D51EABC1091B52D8C558CE472EA6C7ABE
                                                                                                                                      SHA-256:9D7277D1352EA9D8F277ACE2078D5BC377ECFAFF26C714C55C9BAA7C5FF2F5E3
                                                                                                                                      SHA-512:C68B7493AFA29B84E8E9C8136452D09523C94A3CC1459BBA5EFF4F004FB6F7FC71BC1074F1D90AD2FC4177D01A12A3983DF8FAD6AA6388357CC232E125B77B5A
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                                                      C:\Windows\Temp\~DF25BE054842A50A1B.TMP

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):512
                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3::
                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Windows\Temp\~DF659BA3632943BCCA.TMP

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):512
                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3::
                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Windows\Temp\~DF676CF2120EEBEE40.TMP

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):32768
                                                                                                                                      Entropy (8bit):0.0684577160434631
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOq+UmXXMOLxX6Vky6lZ:2F0i8n0itFzDHFq+UyXMkPZ
                                                                                                                                      MD5:174E59845F30BBF54A1B83F6BE56F639
                                                                                                                                      SHA1:679635FB610F27C3AB9587D7CCE6EB34128C408C
                                                                                                                                      SHA-256:0978B2F2AEF4CB14D37FA4DB3EA191F2CFEE7E631F91F3B8A42C266AED48DA16
                                                                                                                                      SHA-512:39C3623F72E5E5A074585141290CF9776D0AB4A97E70C453D89922B6D3E60093D24FBD26B7CDB6475F253B3004A2FE573CFEBCE937ED5881026E8A525D509858
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Windows\Temp\~DF6D0C97F24D0CD6F6.TMP

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):512
                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3::
                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Windows\Temp\~DF783B174A4AD64B37.TMP

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):512
                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3::
                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Windows\Temp\~DF95410A1CFAF0C6CC.TMP

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):32768
                                                                                                                                      Entropy (8bit):1.2064939891832152
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:zwMRuBAMLFXOlT5zDsGzdS5frlsGzdSIvK:z1RgoTd/W2
                                                                                                                                      MD5:11CD6A3195D3F6B0C867843183D85539
                                                                                                                                      SHA1:BCE66E19A6A9869B37034577352CF9BEAEE9F40A
                                                                                                                                      SHA-256:2410ADFF3D6738E776A893FEF7B48A269C3D03F8D380FB6B1F849FA775A8B522
                                                                                                                                      SHA-512:B56481A2E0EE830E77588FD165155B68C760146313E3FD8203EFBD883EB03D1AE69F84696D275A18C1AA3884A3EA73638723B9D828286FC31CF505BA64DFB97B
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Windows\Temp\~DFACD2C4655CC5E8B4.TMP

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):512
                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3::
                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Windows\Temp\~DFAF25D717EFD9F178.TMP

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):20480
                                                                                                                                      Entropy (8bit):1.5004657568724995
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:gG8PhpuRc06WXOgFT5mDsGzdS5frlsGzdSIvK:mhp1uFTQ/W2
                                                                                                                                      MD5:F247A6317273633912BB859A67666C42
                                                                                                                                      SHA1:1609089E5DA95702C4A78FEB2597064EED7C1039
                                                                                                                                      SHA-256:C39DF4CC92FEE3E9219C15DEE1428092413B627B9A27EFD952A5C546C93A4ABB
                                                                                                                                      SHA-512:5B3558260BF598959A0DEAABA277C592772201AC51BE28C69AF2528173885D42565012CD28472082E2F18437948CAFC3D92F76F5DAB7B08B2866C5FFE911741C
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Windows\Temp\~DFD69F939F844ACE55.TMP

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):69632
                                                                                                                                      Entropy (8bit):0.11839109587805101
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:4ogKEOwVmG+gdipVEwVmG+gdipV7VQwGKlrkghA+:mKELsGzdSLsGzdS5fr2
                                                                                                                                      MD5:45F6527651FD03E890536D2728E426FA
                                                                                                                                      SHA1:F09537C0269CEB30E8EC5ED2FF5F61A0B1B7FE3D
                                                                                                                                      SHA-256:807FECE2D4174169A2797BAF1DBE0F31A1D2081BB1149F39B7EA8EE0E7B3DB46
                                                                                                                                      SHA-512:D4FF8B83F9699C56BA1A473303718CA42C0B141845160D3D8CAE4F5A73E9C29AFEC10E25695509AFEC4F5C4CD3D1B2949981B24EF14EE6DEF10A3D6B35DEC3FC
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Windows\Temp\~DFDC4CC35B42D66667.TMP

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):32768
                                                                                                                                      Entropy (8bit):1.2064939891832152
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:zwMRuBAMLFXOlT5zDsGzdS5frlsGzdSIvK:z1RgoTd/W2
                                                                                                                                      MD5:11CD6A3195D3F6B0C867843183D85539
                                                                                                                                      SHA1:BCE66E19A6A9869B37034577352CF9BEAEE9F40A
                                                                                                                                      SHA-256:2410ADFF3D6738E776A893FEF7B48A269C3D03F8D380FB6B1F849FA775A8B522
                                                                                                                                      SHA-512:B56481A2E0EE830E77588FD165155B68C760146313E3FD8203EFBD883EB03D1AE69F84696D275A18C1AA3884A3EA73638723B9D828286FC31CF505BA64DFB97B
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Windows\Temp\~DFE181EB48B25AD6CE.TMP

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):32768
                                                                                                                                      Entropy (8bit):1.2064939891832152
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:zwMRuBAMLFXOlT5zDsGzdS5frlsGzdSIvK:z1RgoTd/W2
                                                                                                                                      MD5:11CD6A3195D3F6B0C867843183D85539
                                                                                                                                      SHA1:BCE66E19A6A9869B37034577352CF9BEAEE9F40A
                                                                                                                                      SHA-256:2410ADFF3D6738E776A893FEF7B48A269C3D03F8D380FB6B1F849FA775A8B522
                                                                                                                                      SHA-512:B56481A2E0EE830E77588FD165155B68C760146313E3FD8203EFBD883EB03D1AE69F84696D275A18C1AA3884A3EA73638723B9D828286FC31CF505BA64DFB97B
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Windows\Temp\~DFE407A60986C7F160.TMP

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):20480
                                                                                                                                      Entropy (8bit):1.5004657568724995
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:gG8PhpuRc06WXOgFT5mDsGzdS5frlsGzdSIvK:mhp1uFTQ/W2
                                                                                                                                      MD5:F247A6317273633912BB859A67666C42
                                                                                                                                      SHA1:1609089E5DA95702C4A78FEB2597064EED7C1039
                                                                                                                                      SHA-256:C39DF4CC92FEE3E9219C15DEE1428092413B627B9A27EFD952A5C546C93A4ABB
                                                                                                                                      SHA-512:5B3558260BF598959A0DEAABA277C592772201AC51BE28C69AF2528173885D42565012CD28472082E2F18437948CAFC3D92F76F5DAB7B08B2866C5FFE911741C
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      Static File Info

                                                                                                                                      General

                                                                                                                                      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: MotiveWave Proffesional, Author: MotiveWave Software, Keywords: Installer, Comments: This installer database contains the logic and data required to install MotiveWave Proffesional., Template: Intel;1033, Revision Number: {AE533901-3C2C-472E-962D-EC625A769D04}, Create Time/Date: Tue Nov 12 16:50:30 2024, Last Saved Time/Date: Tue Nov 12 16:50:30 2024, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                      Entropy (8bit):7.998958277200641
                                                                                                                                      TrID:
                                                                                                                                      • Microsoft Windows Installer (60509/1) 88.31%
                                                                                                                                      • Generic OLE2 / Multistream Compound File (8008/1) 11.69%
                                                                                                                                      File name:1.e.msi
                                                                                                                                      File size:44'130'304 bytes
                                                                                                                                      MD5:c6482889fe38ab6fac54f0b220ac5407
                                                                                                                                      SHA1:0a69fbde5b864d04ac9c28e2361b2d2e684c8f38
                                                                                                                                      SHA256:0c70a985493b30edda772a39d108743e11b52569bccbb8e5b48a271765fb998d
                                                                                                                                      SHA512:7e952a053c54cfd5dcc3854459ac53ccbf56880e4978030f32f55d433f545002683fc1a43a0e0d919f1b8608e84da72c7c1fa0b575171c91ca1d75048bee8934
                                                                                                                                      SSDEEP:786432:Ik4FDMyBJdSbNA0Dmrv+XkyxQ+wFyz1thYPATnoYELCw:VkncYTRGyPqoLCw
                                                                                                                                      TLSH:19A73383E10AE5D4D0209F7A887D6649C11BCC86BF16E4E7627FF1C35079F296BA424B
                                                                                                                                      File Content Preview:........................>.................................................................................... ...$...(.........................................................................................................................................

                                                                                                                                      File Icon

                                                                                                                                      Icon Hash:2d2e3797b32b2b99

                                                                                                                                      Network Behavior

                                                                                                                                      Download Network PCAP: filteredfull

                                                                                                                                      Suricata IDS Alerts

                                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                      2024-11-21T11:17:48.249406+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.549963148.251.107.246443TCP

                                                                                                                                      Network Port Distribution

                                                                                                                                      • Total Packets: 24
                                                                                                                                      • 443 (HTTPS)
                                                                                                                                      • 53 (DNS)
                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      Nov 21, 2024 11:17:02.327781916 CET4985453192.168.2.58.8.8.8
                                                                                                                                      Nov 21, 2024 11:17:02.447282076 CET53498548.8.8.8192.168.2.5
                                                                                                                                      Nov 21, 2024 11:17:02.452172995 CET4985453192.168.2.58.8.8.8
                                                                                                                                      Nov 21, 2024 11:17:04.424050093 CET49859443192.168.2.5148.251.107.246
                                                                                                                                      Nov 21, 2024 11:17:04.424119949 CET44349859148.251.107.246192.168.2.5
                                                                                                                                      Nov 21, 2024 11:17:04.424175024 CET49859443192.168.2.5148.251.107.246
                                                                                                                                      Nov 21, 2024 11:17:04.472042084 CET49859443192.168.2.5148.251.107.246
                                                                                                                                      Nov 21, 2024 11:17:04.472083092 CET44349859148.251.107.246192.168.2.5
                                                                                                                                      Nov 21, 2024 11:17:04.472141027 CET49859443192.168.2.5148.251.107.246
                                                                                                                                      Nov 21, 2024 11:17:04.472143888 CET44349859148.251.107.246192.168.2.5
                                                                                                                                      Nov 21, 2024 11:17:04.472161055 CET44349859148.251.107.246192.168.2.5
                                                                                                                                      Nov 21, 2024 11:17:05.381721973 CET53498548.8.8.8192.168.2.5
                                                                                                                                      Nov 21, 2024 11:17:05.381841898 CET4985453192.168.2.58.8.8.8
                                                                                                                                      Nov 21, 2024 11:17:05.484592915 CET49865443192.168.2.5185.174.135.68
                                                                                                                                      Nov 21, 2024 11:17:05.484613895 CET44349865185.174.135.68192.168.2.5
                                                                                                                                      Nov 21, 2024 11:17:05.484674931 CET49865443192.168.2.5185.174.135.68
                                                                                                                                      Nov 21, 2024 11:17:05.536469936 CET49865443192.168.2.5185.174.135.68
                                                                                                                                      Nov 21, 2024 11:17:05.536508083 CET44349865185.174.135.68192.168.2.5
                                                                                                                                      Nov 21, 2024 11:17:05.536547899 CET49865443192.168.2.5185.174.135.68
                                                                                                                                      Nov 21, 2024 11:17:05.536582947 CET44349865185.174.135.68192.168.2.5
                                                                                                                                      Nov 21, 2024 11:17:05.536670923 CET44349865185.174.135.68192.168.2.5
                                                                                                                                      Nov 21, 2024 11:17:06.590059042 CET49866443192.168.2.5185.81.114.227
                                                                                                                                      Nov 21, 2024 11:17:06.590082884 CET44349866185.81.114.227192.168.2.5
                                                                                                                                      Nov 21, 2024 11:17:06.590151072 CET49866443192.168.2.5185.81.114.227
                                                                                                                                      Nov 21, 2024 11:17:06.663136959 CET49866443192.168.2.5185.81.114.227
                                                                                                                                      Nov 21, 2024 11:17:06.663156986 CET44349866185.81.114.227192.168.2.5
                                                                                                                                      Nov 21, 2024 11:17:06.663217068 CET49866443192.168.2.5185.81.114.227
                                                                                                                                      Nov 21, 2024 11:17:06.663225889 CET44349866185.81.114.227192.168.2.5
                                                                                                                                      Nov 21, 2024 11:17:06.663286924 CET44349866185.81.114.227192.168.2.5
                                                                                                                                      Nov 21, 2024 11:17:07.672524929 CET49870443192.168.2.523.227.178.53
                                                                                                                                      Nov 21, 2024 11:17:07.672635078 CET4434987023.227.178.53192.168.2.5
                                                                                                                                      Nov 21, 2024 11:17:07.672748089 CET49870443192.168.2.523.227.178.53
                                                                                                                                      Nov 21, 2024 11:17:07.727670908 CET49870443192.168.2.523.227.178.53
                                                                                                                                      Nov 21, 2024 11:17:07.727700949 CET4434987023.227.178.53192.168.2.5
                                                                                                                                      Nov 21, 2024 11:17:07.727766991 CET49870443192.168.2.523.227.178.53
                                                                                                                                      Nov 21, 2024 11:17:07.727773905 CET4434987023.227.178.53192.168.2.5
                                                                                                                                      Nov 21, 2024 11:17:07.727812052 CET4434987023.227.178.53192.168.2.5
                                                                                                                                      Nov 21, 2024 11:17:07.728924990 CET49870443192.168.2.523.227.178.53
                                                                                                                                      Nov 21, 2024 11:17:07.728940010 CET4434987023.227.178.53192.168.2.5
                                                                                                                                      Nov 21, 2024 11:17:48.191373110 CET49963443192.168.2.5148.251.107.246
                                                                                                                                      Nov 21, 2024 11:17:48.191435099 CET44349963148.251.107.246192.168.2.5
                                                                                                                                      Nov 21, 2024 11:17:48.191530943 CET49963443192.168.2.5148.251.107.246
                                                                                                                                      Nov 21, 2024 11:17:48.249406099 CET49963443192.168.2.5148.251.107.246
                                                                                                                                      Nov 21, 2024 11:17:48.249459028 CET44349963148.251.107.246192.168.2.5
                                                                                                                                      Nov 21, 2024 11:17:48.249512911 CET49963443192.168.2.5148.251.107.246
                                                                                                                                      Nov 21, 2024 11:17:48.249511957 CET44349963148.251.107.246192.168.2.5
                                                                                                                                      Nov 21, 2024 11:17:48.249538898 CET44349963148.251.107.246192.168.2.5

                                                                                                                                      Statistics

                                                                                                                                      CPU Usage

                                                                                                                                      050100s020406080100

                                                                                                                                      Click to jump to process

                                                                                                                                      Memory Usage

                                                                                                                                      050100s0.0050100MB

                                                                                                                                      Click to jump to process

                                                                                                                                      High Level Behavior Distribution

                                                                                                                                      • File
                                                                                                                                      • Registry
                                                                                                                                      • Network

                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                      Behavior

                                                                                                                                      Click to jump to process

                                                                                                                                      System Behavior

                                                                                                                                      General

                                                                                                                                      Target ID:0
                                                                                                                                      Start time:05:15:42
                                                                                                                                      Start date:21/11/2024
                                                                                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\1.e.msi"
                                                                                                                                      Imagebase:0x7ff688190000
                                                                                                                                      File size:69'632 bytes
                                                                                                                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true
                                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                      Show Windows behavior

                                                                                                                                      Section Activities

                                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                      Show Windows behavior

                                                                                                                                      Thread Activities

                                                                                                                                      Show Windows behavior

                                                                                                                                      Memory Activities

                                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                      Show Windows behavior

                                                                                                                                      Windows UI Activities

                                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                                      General

                                                                                                                                      Target ID:2
                                                                                                                                      Start time:05:15:45
                                                                                                                                      Start date:21/11/2024
                                                                                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                                      Imagebase:0x7ff688190000
                                                                                                                                      File size:69'632 bytes
                                                                                                                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:false
                                                                                                                                      Show Windows behavior

                                                                                                                                      File Activities

                                                                                                                                      Show Windows behavior

                                                                                                                                      Section Activities

                                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                      Show Windows behavior

                                                                                                                                      Thread Activities

                                                                                                                                      Show Windows behavior

                                                                                                                                      Memory Activities

                                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                      Show Windows behavior

                                                                                                                                      Process Token Activities

                                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                                      General

                                                                                                                                      Target ID:3
                                                                                                                                      Start time:05:15:54
                                                                                                                                      Start date:21/11/2024
                                                                                                                                      Path:C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe"
                                                                                                                                      Imagebase:0x50000
                                                                                                                                      File size:56'488'784 bytes
                                                                                                                                      MD5 hash:4725DA5F62C1456C206E15ED7FDFBE06
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2261694829.000000000DA68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000003.00000003.2261694829.000000000DA68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2260014975.000000000D4D2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000003.00000003.2260014975.000000000D4D2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2258406791.000000000DA69000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000003.00000003.2258406791.000000000DA69000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2262520808.000000000E58B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000003.00000003.2262520808.000000000E58B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2259094247.000000000DFFB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000003.00000003.2259094247.000000000DFFB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2260967692.000000000DA67000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000003.00000003.2260967692.000000000DA67000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      Reputation:low
                                                                                                                                      Has exited:false
                                                                                                                                      Show Windows behavior

                                                                                                                                      File Activities

                                                                                                                                      Show Windows behavior

                                                                                                                                      Section Activities

                                                                                                                                      Show Windows behavior

                                                                                                                                      Registry Activities

                                                                                                                                      Show Windows behavior

                                                                                                                                      Mutex Activities

                                                                                                                                      Show Windows behavior

                                                                                                                                      Process Activities

                                                                                                                                      Show Windows behavior

                                                                                                                                      Thread Activities

                                                                                                                                      Show Windows behavior

                                                                                                                                      Memory Activities

                                                                                                                                      Show Windows behavior

                                                                                                                                      System Activities

                                                                                                                                      Show Windows behavior

                                                                                                                                      Timing Activities

                                                                                                                                      Show Windows behavior

                                                                                                                                      Windows UI Activities

                                                                                                                                      Network Activities

                                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                                      Disassembly

                                                                                                                                      No disassembly