Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
1.e.msi

Overview

General Information

Sample name:1.e.msi
Analysis ID:1560059
MD5:c6482889fe38ab6fac54f0b220ac5407
SHA1:0a69fbde5b864d04ac9c28e2361b2d2e684c8f38
SHA256:0c70a985493b30edda772a39d108743e11b52569bccbb8e5b48a271765fb998d
Infos:

Detection

DanaBot
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
Yara detected DanaBot stealer dll
May use the Tor software to hide its network traffic
PE file has a writeable .text section
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected non-DNS traffic on DNS port
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
Queries information about the installed CPU (vendor, model number etc)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Yara detected Credential Stealer

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64native
  • msiexec.exe (PID: 4648 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\1.e.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 3204 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • DiffDog.exe (PID: 436 cmdline: "C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe" MD5: 4725DA5F62C1456C206E15ED7FDFBE06)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DanaBotProofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on quality over quantity in email-based threats. DanaBots modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.
  • SCULLY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000003.42517780192.000000000D4F6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000005.00000003.42517780192.000000000D4F6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
      00000005.00000003.42514150305.000000000EF4B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000005.00000003.42514150305.000000000EF4B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
          00000005.00000003.42524052287.000000000FA67000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 12 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-21T11:26:37.807952+010020344651Malware Command and Control Activity Detected192.168.11.2049749148.251.107.246443TCP
            2024-11-21T11:26:38.852394+010020344651Malware Command and Control Activity Detected192.168.11.2049750185.174.135.68443TCP
            2024-11-21T11:26:39.919776+010020344651Malware Command and Control Activity Detected192.168.11.2049751185.81.114.227443TCP
            2024-11-21T11:26:41.004851+010020344651Malware Command and Control Activity Detected192.168.11.204975223.227.178.53443TCP

            Joe Sandbox Signatures

            • AV Detection
            • Cryptography
            • Compliance
            • Spreading
            • Networking
            • E-Banking Fraud
            • System Summary
            • Data Obfuscation
            • Persistence and Installation Behavior
            • Boot Survival
            • Hooking and other Techniques for Hiding and Protection
            • Malware Analysis System Evasion
            • Anti Debugging
            • HIPS / PFW / Operating System Protection Evasion
            • Language, Device and Operating System Detection
            • Stealing of Sensitive Information
            • Remote Access Functionality

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: Yara matchFile source: 00000005.00000003.42517780192.000000000D4F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42514150305.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42520499388.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42521864806.000000000FA6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42515660543.000000000F4D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42519322816.000000000EF47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42522963535.000000000FFF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DiffDog.exe PID: 436, type: MEMORYSTR
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_0640aed7-3
            Source: Binary string: d:\a01\_work\11\s\\binaries\x86ret\bin\i386\\msvcp140_codecvt_ids.i386.pdb source: msvcp140_codecvt_ids.dll.1.dr
            Source: Binary string: ScintillaAltovaChangeExt.zip.doc.docx.svnDiffDog Find Window UNICODEIDD_SPLASH_NT|Edit with %.filedif.dirdif*?CVS.#*.biz.cml.dcd.dtd.ent.fo.math.mml.mtx.rdf.smil.svg.tld.tsd.vml.vxml.wml.wsdl.xdr.xhtml.xml.xsd.xsl.xslt.xbrl.asp.htm.html.jsp.c.cc.cpp.cs.cxx.h.hpp.tli.tlh.java.rc.py.js.avi.bmp.chm.com.dll.dot.exe.gif.gz.hlp.ico.ilk.jar.jpeg.jpg.lib.mdb.mid.mp2.mp3.mp4.mpeg.msi.obj.ogg.pdb.pdf.png.pps.ppt.rar.snd.tar.tif.tiff.ttf.wav.wma.wmf.wmv.xls.pptx.xlsx.css.txt.docm.dotx.dotminvalid hash bucket count$-7 source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\mfc140u.i386.pdbGCTL source: mfc140u.dll.1.dr
            Source: Binary string: d:\v2025_build20240930\trunk\sources\Files\XMLSpyExeFolder\bin32\DiffDog_Release.pdb source: DiffDog.exe, 00000005.00000000.42478381349.0000000002A1C000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.1.dr
            Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: msvcp140.dll.1.dr
            Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\mfc140u.i386.pdb source: mfc140u.dll.1.dr
            Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: d:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeFile opened: c:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

            Networking

            barindex
            Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.11.20:49750 -> 185.174.135.68:443
            Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.11.20:49751 -> 185.81.114.227:443
            Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.11.20:49749 -> 148.251.107.246:443
            Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.11.20:49752 -> 23.227.178.53:443
            Source: global trafficTCP traffic: 192.168.11.20:49744 -> 8.8.8.8:53
            Source: Joe Sandbox ViewASN Name: ALMOUROLTECPT ALMOUROLTECPT
            Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
            Source: Joe Sandbox ViewASN Name: HZ-NL-ASGB HZ-NL-ASGB
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 185.174.135.68
            Source: unknownTCP traffic detected without corresponding DNS query: 185.174.135.68
            Source: unknownTCP traffic detected without corresponding DNS query: 185.174.135.68
            Source: unknownTCP traffic detected without corresponding DNS query: 185.174.135.68
            Source: unknownTCP traffic detected without corresponding DNS query: 185.81.114.227
            Source: unknownTCP traffic detected without corresponding DNS query: 185.81.114.227
            Source: unknownTCP traffic detected without corresponding DNS query: 185.81.114.227
            Source: unknownTCP traffic detected without corresponding DNS query: 185.81.114.227
            Source: unknownTCP traffic detected without corresponding DNS query: 23.227.178.53
            Source: unknownTCP traffic detected without corresponding DNS query: 23.227.178.53
            Source: unknownTCP traffic detected without corresponding DNS query: 23.227.178.53
            Source: unknownTCP traffic detected without corresponding DNS query: 23.227.178.53
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 185.174.135.68
            Source: unknownTCP traffic detected without corresponding DNS query: 185.174.135.68
            Source: unknownTCP traffic detected without corresponding DNS query: 185.174.135.68
            Source: unknownTCP traffic detected without corresponding DNS query: 185.174.135.68
            Source: unknownTCP traffic detected without corresponding DNS query: 185.81.114.227
            Source: unknownTCP traffic detected without corresponding DNS query: 185.81.114.227
            Source: unknownTCP traffic detected without corresponding DNS query: 185.81.114.227
            Source: unknownTCP traffic detected without corresponding DNS query: 185.81.114.227
            Source: unknownTCP traffic detected without corresponding DNS query: 23.227.178.53
            Source: unknownTCP traffic detected without corresponding DNS query: 23.227.178.53
            Source: unknownTCP traffic detected without corresponding DNS query: 23.227.178.53
            Source: unknownTCP traffic detected without corresponding DNS query: 23.227.178.53
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 185.174.135.68
            Source: unknownTCP traffic detected without corresponding DNS query: 185.174.135.68
            Source: unknownTCP traffic detected without corresponding DNS query: 185.174.135.68
            Source: unknownTCP traffic detected without corresponding DNS query: 185.174.135.68
            Source: unknownTCP traffic detected without corresponding DNS query: 185.81.114.227
            Source: unknownTCP traffic detected without corresponding DNS query: 185.81.114.227
            Source: unknownTCP traffic detected without corresponding DNS query: 185.81.114.227
            Source: unknownTCP traffic detected without corresponding DNS query: 23.227.178.53
            Source: unknownTCP traffic detected without corresponding DNS query: 23.227.178.53
            Source: unknownTCP traffic detected without corresponding DNS query: 23.227.178.53
            Source: unknownTCP traffic detected without corresponding DNS query: 23.227.178.53
            Source: DiffDog.exe, 00000005.00000003.42520499388.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42519322816.000000000EF47000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42517780192.000000000D4F6000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42514150305.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42521864806.000000000FA6F000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42515660543.000000000F4D2000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42522963535.000000000FFF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://.css
            Source: DiffDog.exe, 00000005.00000003.42520499388.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42519322816.000000000EF47000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42517780192.000000000D4F6000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42514150305.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42521864806.000000000FA6F000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42515660543.000000000F4D2000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42522963535.000000000FFF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://.jpg
            Source: sqlite3.dll.1.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
            Source: sqlite3.dll.1.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
            Source: sqlite3.dll.1.drString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
            Source: sqlite3.dll.1.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
            Source: DiffDog.exe, 00000005.00000000.42480630819.0000000003C0A000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://dev.mysql.com/downloads/connector/odbc
            Source: DiffDog.exe, 00000005.00000003.42520499388.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42519322816.000000000EF47000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42517780192.000000000D4F6000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42514150305.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42521864806.000000000FA6F000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42515660543.000000000F4D2000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42522963535.000000000FFF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
            Source: sqlite3.dll.1.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
            Source: sqlite3.dll.1.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
            Source: sqlite3.dll.1.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
            Source: sqlite3.dll.1.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/http/
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/mime/
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/
            Source: sqlite3.dll.1.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
            Source: sqlite3.dll.1.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
            Source: sqlite3.dll.1.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmp, sqlite3.dll.1.drString found in binary or memory: http://www.altova.com
            Source: DiffDog.exe, 00000005.00000000.42478381349.0000000002A1C000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.altova.com/
            Source: DiffDog.exe, 00000005.00000003.42486652916.0000000008E48000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000000.42480630819.0000000003C0A000.00000002.00000001.01000000.00000004.sdmp, DiffDog.exe, 00000005.00000000.42480630819.00000000034B2000.00000002.00000001.01000000.00000004.sdmp, DiffDog.exe, 00000005.00000003.42486752223.0000000008E07000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42486851804.0000000008E1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.altova.com/Access-Database-OLEDB-32bit-64bit.html
            Source: DiffDog.exe, 00000005.00000000.42480630819.0000000003C0A000.00000002.00000001.01000000.00000004.sdmp, DiffDog.exe, 00000005.00000000.42480630819.00000000034B2000.00000002.00000001.01000000.00000004.sdmp, DiffDog.exe, 00000005.00000003.42486752223.0000000008E07000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42486851804.0000000008E1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.altova.com/Access-Database-OLEDB-32bit-64bit.html</a>
            Source: DiffDog.exe, 00000005.00000000.42480630819.00000000034B2000.00000002.00000001.01000000.00000004.sdmp, DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.altova.com/catalog_ext
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.altova.com/catalog_extspy:specification_catalogspy:keepProxypublicIdrewriteURIuriStartStr
            Source: DiffDog.exe, 00000005.00000003.42486752223.0000000008E07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.altova.com/dictionaries
            Source: DiffDog.exe, 00000005.00000000.42480630819.0000000003C0A000.00000002.00000001.01000000.00000004.sdmp, DiffDog.exe, 00000005.00000003.42486752223.0000000008E07000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42486851804.0000000008E1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.altova.com/dictionaries</a>.
            Source: DiffDog.exe, 00000005.00000000.42478381349.0000000002A1C000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.altova.com/en-us0.10.010.0010.00010.000010.0000010.00000010.000000010.0000000010.00000000
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.altova.com/mapforce
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.altova.com/namespace/meta-attribute
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.altova.com/namespace/meta-attributeresourcessymbolmodulestringdocu_commentdllexportdllexp
            Source: DiffDog.exe, 00000005.00000000.42478381349.0000000002A1C000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.altova.com/samplexml/another-namespace
            Source: DiffDog.exe, 00000005.00000000.42478381349.0000000002A1C000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.altova.com/samplexml/other-namespace
            Source: DiffDog.exe, 00000005.00000000.42478381349.0000000002A1C000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.altova.com/samplexml/other-namespacehttp://www.altova.com/samplexml/another-namespaceauto
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.altova.com/samplexml/other-namespacehttp://www.altova.com/samplexml/another-namespaceprob
            Source: DiffDog.exe, 00000005.00000000.42478381349.0000000002A1C000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.altova.com/xml-schema-extensions
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.altova.com/xml-schema-extensionsexample(
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.altova.com/xslt-extensions
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.altova.com8
            Source: DiffDog.exe, 00000005.00000000.42480630819.0000000003C0A000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.firebirdsql.org/en/odbc-driver/
            Source: DiffDog.exe, 00000005.00000000.42480630819.00000000034B2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.iana.org/assignments/language-subtag-registry
            Source: DiffDog.exe, 00000005.00000000.42480630819.0000000003C0A000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.ibm.com/support
            Source: DiffDog.exe, 00000005.00000000.42480630819.00000000034B2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.ietf.org/rfc/rfc3066.txt
            Source: DiffDog.exe, 00000005.00000003.42485560784.00000000046F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iso-standards.org/mra/9075/2001/12/sqlxml
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.opengis.net/gml
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.opengis.net/gml/3.2
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.opengis.net/gml/3.3/ce
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.opengis.net/gml/3.3/lr
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.opengis.net/gml/3.3/lro
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.opengis.net/gml/3.3/lrov
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.opengis.net/gml/3.3/lrtr
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.opengis.net/gml/3.3/rgrid
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.opengis.net/gml/3.3/tin
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.opengis.net/gml/3.3/xbt
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.opengis.net/gml/3.3/xer
            Source: DiffDog.exe, 00000005.00000000.42480630819.0000000003C0A000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.oracle.com/technetwork/database/enterprise-edition/downloads/112010-win32soft-098987.html
            Source: DiffDog.exe, 00000005.00000000.42480630819.0000000003C0A000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.postgresql.org/ftp/odbc/versions/
            Source: DiffDog.exe, 00000005.00000000.42480630819.00000000034B2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.rfc-editor.org/rfc/bcp/bcp47.txt
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.wapforum.org/2001/wml
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.xbrl.org/2003/XLink
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.xbrl.org/2003/XLinkhttp://xbrl.org/2005/xbrldthttp://xbrl.org/2006/xbrldihttp://www.w3.or
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.xbrl.org/2003/instance
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.xbrl.org/2003/iso4217
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.xbrl.org/2003/linkbase
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.xbrl.org/2008/function/instance
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.xbrl.org/2008/inlineXBRL
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.xbrl.org/2010/function/formula
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.xbrl.org/2013/inlineXBRL
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.xbrl.org/inlineXBRL/transformation/2010-04-20
            Source: DiffDog.exe, 00000005.00000000.42480630819.00000000034B2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.xmlspy.com)
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2005/xbrldi/errors
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2005/xbrldt
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2005/xbrldt/errors
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2006/xbrldi
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/assertion/consistency
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/assertion/consistency/error
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/assertion/existence
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/assertion/existence/error
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/assertion/value
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/assertion/value/error
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/filter/boolean
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/filter/boolean/error
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/filter/concept
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/filter/concept/error
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/filter/dimension
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/filter/dimension/error
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/filter/entity
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/filter/entity/error
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/filter/general
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/filter/general/error
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/filter/implicit/error
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/filter/match
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/filter/match/error
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/filter/period
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/filter/period/error
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/filter/relative
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/filter/relative/error
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/filter/segment-scenario
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/filter/segment-scenario/error
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/filter/tuple
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/filter/tuple/error
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/filter/unit
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/filter/unit/error
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/filter/value
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/filter/value/error
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/formula
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/formula/error
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/function
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/generic
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/generic/error
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/label
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/label/error
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/reference
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/reference/error
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/validation
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/validation/error
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/variable
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/variable/aspectTest
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2008/variable/error
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2010/custom-function
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2010/custom-function/error
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2010/filter/aspect-cover
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2010/filter/aspect-cover/error
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2010/filter/concept-relation
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2010/filter/concept-relation/error
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2010/message
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2010/message/error
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2010/message/validation
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2010/message/validation/error
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2010/variable/instance
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2010/variable/instance/error
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xbrl.org/2013/versioning-base
            Source: DiffDog.exe, 00000005.00000003.42485560784.00000000046F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xmlns.oracle.com/xdb
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://xmlns.oracle.com/xdbsqlxmlxmlns:sqlxmlhttp://www.iso-standards.org/mra/9075/2001/12/sqlxml
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
            Source: DiffDog.exe, 00000005.00000000.42480630819.0000000003C0A000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://downloads.mariadb.org/connector-odbc/
            Source: DiffDog.exe, 00000005.00000000.42480630819.0000000003C0A000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://downloads.teradata.com/download/connectivity/odbc-driver/windows
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://link.altova.com/api/
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://link.altova.com/api/package-manager/v1/bootstrap
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://link.altova.com/api/package-manager/v1/telemetry
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://link.altova.com/liveupdate.asp
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://link.altova.com/liveupdate.aspLicManRefererhttps://
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://link.altova.com/orderfromsw.asp?echttps://link.altova.com/keyinfo.asp?WrongEditionNoSMPSMPEx
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://link.altova.com/support_getfreeauthentic.asp?licenselocald:
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://link.staging.vie.altova.com/api/
            Source: DiffDog.exe, 00000005.00000003.42485560784.00000000046F5000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://link.staging.vie.altova.com/api/package-manager/v1/bootstrap
            Source: DiffDog.exe, 00000005.00000003.42485560784.00000000046F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://link.staging.vie.altova.com/api/package-manager/v1/bootstrap0
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://link.staging.vie.altova.com/api/package-manager/v1/bootstraphttps://link.altova.com/api/pack
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://link.staging.vie.altova.com/api/package-manager/v1/telemetry
            Source: DiffDog.exe, 00000005.00000003.42486652916.0000000008E48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portal.azure.com/
            Source: DiffDog.exe, 00000005.00000000.42480630819.0000000003C0A000.00000002.00000001.01000000.00000004.sdmp, DiffDog.exe, 00000005.00000000.42480630819.00000000034B2000.00000002.00000001.01000000.00000004.sdmp, DiffDog.exe, 00000005.00000003.42486752223.0000000008E07000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42486851804.0000000008E1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portal.azure.com/</a>.
            Source: DiffDog.exe, 00000005.00000000.42480630819.0000000003C0A000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.altova.com
            Source: DiffDog.exe, 00000005.00000003.42486752223.0000000008E07000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42486851804.0000000008E1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.altova.com/eula.html
            Source: DiffDog.exe, 00000005.00000003.42486752223.0000000008E07000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42486851804.0000000008E1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.altova.com/manual/
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.altova.com/manualonlineHelpServer%s/%s/%s/%s.%s/HelpTopicIds.jsonhelpTopicIdFileonlineHe
            Source: DiffDog.exe, 00000005.00000003.42486851804.0000000008E1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.altova.com/privacy
            Source: DiffDog.exe, 00000005.00000003.42486752223.0000000008E07000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42486851804.0000000008E1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.altova.com/privacy.html
            Source: DiffDog.exe, 00000005.00000003.42486652916.0000000008E48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.altova.com/smp
            Source: DiffDog.exe, 00000005.00000000.42480630819.0000000003C0A000.00000002.00000001.01000000.00000004.sdmp, DiffDog.exe, 00000005.00000000.42480630819.00000000034B2000.00000002.00000001.01000000.00000004.sdmp, DiffDog.exe, 00000005.00000003.42486752223.0000000008E07000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42486851804.0000000008E1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.altova.com/smp</a>.
            Source: DiffDog.exe, 00000005.00000003.42486752223.0000000008E07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.altova.com/support
            Source: DiffDog.exe, 00000005.00000000.42480630819.0000000003C0A000.00000002.00000001.01000000.00000004.sdmp, DiffDog.exe, 00000005.00000000.42480630819.00000000034B2000.00000002.00000001.01000000.00000004.sdmp, DiffDog.exe, 00000005.00000003.42486752223.0000000008E07000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42486851804.0000000008E1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.altova.com/support</a>
            Source: sqlite3.dll.1.drString found in binary or memory: https://www.globalsign.com/repository/0
            Source: DiffDog.exe, 00000005.00000003.42486851804.0000000008E1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.openai.com/
            Source: DiffDog.exe, 00000005.00000000.42480630819.0000000003C0A000.00000002.00000001.01000000.00000004.sdmp, DiffDog.exe, 00000005.00000000.42480630819.00000000034B2000.00000002.00000001.01000000.00000004.sdmp, DiffDog.exe, 00000005.00000003.42486752223.0000000008E07000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42486851804.0000000008E1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.openai.com/</a>.
            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
            Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
            Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
            Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745

            E-Banking Fraud

            barindex
            Source: Yara matchFile source: 00000005.00000003.42517780192.000000000D4F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42514150305.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42520499388.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42521864806.000000000FA6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42515660543.000000000F4D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42519322816.000000000EF47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42522963535.000000000FFF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DiffDog.exe PID: 436, type: MEMORYSTR

            System Summary

            barindex
            Source: CES_PlugInHost.dll.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\813e7c.msiJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{494D20A3-04AB-4FD6-8901-F174670D563F}Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI47D3.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\813e7e.msiJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\813e7e.msiJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\813e7e.msiJump to behavior
            Source: icudt58.dll.1.drStatic PE information: No import functions for PE file found
            Source: classification engineClassification label: mal64.troj.evad.winMSI@4/58@0/5
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\InstallerJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeMutant created: \Sessions\1\BaseNamedObjects\Local\Altova_rid_DD::P::27_YXJ0aHVy_mtx
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF3FFE01ED652F2DB4.TMPJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
            Source: DiffDog.exe, 00000005.00000003.42520499388.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42519322816.000000000EF47000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42517780192.000000000D4F6000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42514150305.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42521864806.000000000FA6F000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42515660543.000000000F4D2000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42522963535.000000000FFF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: sqlite3.dll.1.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: sqlite3.dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
            Source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: CREATE TABLE "version" ("graph_major" INTEGER, "schema_major" INTEGER);
            Source: sqlite3.dll.1.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
            Source: sqlite3.dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
            Source: DiffDog.exe, 00000005.00000003.42520499388.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42519322816.000000000EF47000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42517780192.000000000D4F6000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42514150305.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42521864806.000000000FA6F000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42515660543.000000000F4D2000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42522963535.000000000FFF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: DiffDog.exe, 00000005.00000003.42520499388.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42519322816.000000000EF47000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42517780192.000000000D4F6000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42514150305.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42521864806.000000000FA6F000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42515660543.000000000F4D2000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42522963535.000000000FFF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: sqlite3.dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
            Source: sqlite3.dll.1.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
            Source: DiffDog.exe, 00000005.00000003.42520499388.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42519322816.000000000EF47000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42517780192.000000000D4F6000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42514150305.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42521864806.000000000FA6F000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42515660543.000000000F4D2000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42522963535.000000000FFF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: sqlite3.dll.1.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
            Source: 1.e.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 88.31%
            Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\1.e.msi"
            Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe "C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe"
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe "C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe"Jump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: dsrole.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msxml3.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: vss_ps.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: mfc140u.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: msvcp140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: sqlite3.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: icuuc58.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: icuin58.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: d3d11.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: d2d1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: prntvpt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: libpng16.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: credui.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: cryptui.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: odbc32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: jhelp1.1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: icudt58.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: postsharp.patterns.model.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: resourcepolicyclient.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: ces_pluginhost.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: cesimageutility.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: dxcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: wshunix.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: avifil32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: msacm32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: winmmbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: winmmbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: pstorec.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeSection loaded: winsta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeWindow found: window name: SysTabControl32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeWindow detected: Number of UI elements: 18
            Source: 1.e.msiStatic file information: File size 44130304 > 1048576
            Source: Binary string: d:\a01\_work\11\s\\binaries\x86ret\bin\i386\\msvcp140_codecvt_ids.i386.pdb source: msvcp140_codecvt_ids.dll.1.dr
            Source: Binary string: ScintillaAltovaChangeExt.zip.doc.docx.svnDiffDog Find Window UNICODEIDD_SPLASH_NT|Edit with %.filedif.dirdif*?CVS.#*.biz.cml.dcd.dtd.ent.fo.math.mml.mtx.rdf.smil.svg.tld.tsd.vml.vxml.wml.wsdl.xdr.xhtml.xml.xsd.xsl.xslt.xbrl.asp.htm.html.jsp.c.cc.cpp.cs.cxx.h.hpp.tli.tlh.java.rc.py.js.avi.bmp.chm.com.dll.dot.exe.gif.gz.hlp.ico.ilk.jar.jpeg.jpg.lib.mdb.mid.mp2.mp3.mp4.mpeg.msi.obj.ogg.pdb.pdf.png.pps.ppt.rar.snd.tar.tif.tiff.ttf.wav.wma.wmf.wmv.xls.pptx.xlsx.css.txt.docm.dotx.dotminvalid hash bucket count$-7 source: DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\mfc140u.i386.pdbGCTL source: mfc140u.dll.1.dr
            Source: Binary string: d:\v2025_build20240930\trunk\sources\Files\XMLSpyExeFolder\bin32\DiffDog_Release.pdb source: DiffDog.exe, 00000005.00000000.42478381349.0000000002A1C000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.1.dr
            Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: msvcp140.dll.1.dr
            Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\mfc140u.i386.pdb source: mfc140u.dll.1.dr
            Source: concrt140.dll.1.drStatic PE information: 0x801EEB2B [Thu Feb 11 14:05:31 2038 UTC]
            Source: icuuc58.dll.1.drStatic PE information: real checksum: 0x13ee7d should be: 0x137742
            Source: CES_PlugInHost.dll.1.drStatic PE information: real checksum: 0xc7c2d should be: 0xcfc2d
            Source: PostSharp.Patterns.Model.dll.1.drStatic PE information: real checksum: 0x0 should be: 0xe41e6
            Source: PostSharp.Patterns.Model.dll.1.drStatic PE information: section name: _RDATA
            Source: mfc140u.dll.1.drStatic PE information: section name: .didat
            Source: jhelp1.1.dll.1.drStatic PE information: section name: _RDATA
            Source: CES_PlugInHost.dll.1.drStatic PE information: section name: .text1
            Source: CES_PlugInHost.dll.1.drStatic PE information: section name: .data1
            Source: CES_PlugInHost.dll.1.drStatic PE information: section name: _RDATA
            Source: DiffDog.exe.1.drStatic PE information: section name: OTB
            Source: DiffDog.exe.1.drStatic PE information: section name: .detourc
            Source: DiffDog.exe.1.drStatic PE information: section name: .detourd
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\concrt140.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\PostSharp.Patterns.Model.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\ucrtbase.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\vccorlib140.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\sqlite3.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_codecvt_ids.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\jhelp1.1.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\vcruntime140.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\CES_PlugInHost.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_2.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\icuin58.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\mfc140u.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\libpng16.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\icudt58.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_atomic_wait.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\icuuc58.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_1.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestoreJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Source: DiffDog.exe, 00000005.00000003.42520499388.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42519322816.000000000EF47000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42517780192.000000000D4F6000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42514150305.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42521864806.000000000FA6F000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42515660543.000000000F4D2000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42524052287.000000000FA67000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42522963535.000000000FFF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: torConnect
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeWindow / User API: threadDelayed 1486Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeWindow / User API: threadDelayed 712Jump to behavior
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\concrt140.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\vccorlib140.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_codecvt_ids.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_2.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_atomic_wait.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_1.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe TID: 2924Thread sleep time: -74300s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe TID: 7320Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe TID: 5644Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: DiffDog.exe, 00000005.00000003.42485560784.00000000046F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: DiffDog.exe, 00000005.00000003.42485560784.00000000046F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)
            Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe "C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe"Jump to behavior
            Source: DiffDog.exe, 00000005.00000003.42520499388.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42519322816.000000000EF47000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42517780192.000000000D4F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndTrayNotifyWndSysPagerToolbarWindow32U
            Source: DiffDog.exe, 00000005.00000003.42520499388.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42519322816.000000000EF47000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42517780192.000000000D4F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: explorer.exeShell_TrayWnd
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\12Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\12Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\12Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\15Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\15Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\15Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\10Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\10Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\10Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\15Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\15Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\15Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\15Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\15Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\15Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIdJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIdJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIdJump to behavior
            Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 00000005.00000003.42517780192.000000000D4F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42514150305.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42520499388.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42521864806.000000000FA6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42515660543.000000000F4D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42519322816.000000000EF47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42522963535.000000000FFF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DiffDog.exe PID: 436, type: MEMORYSTR
            Source: Yara matchFile source: 00000005.00000003.42517780192.000000000D4F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42514150305.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42524052287.000000000FA67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42520499388.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42521864806.000000000FA6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42515660543.000000000F4D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42519322816.000000000EF47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42522963535.000000000FFF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DiffDog.exe PID: 436, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 00000005.00000003.42517780192.000000000D4F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42514150305.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42520499388.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42521864806.000000000FA6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42515660543.000000000F4D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42519322816.000000000EF47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.42522963535.000000000FFF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DiffDog.exe PID: 436, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure1
            Replication Through Removable Media            		Windows Management Instrumentation1
            Windows Service            		1
            Windows Service            		11
            Masquerading            		OS Credential Dumping1
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		2
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		2
            Process Injection            		1
            Virtualization/Sandbox Evasion            		LSASS Memory1
            Virtualization/Sandbox Evasion            		Remote Desktop ProtocolData from Removable Media1
            Multi-hop Proxy            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Disable or Modify Tools            		Security Account Manager2
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared Drive1
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture1
            Proxy            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Timestomp            		LSA Secrets11
            Peripheral Device Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials1
            System Owner/User Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            File Deletion            		DCSync2
            File and Directory Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem43
            System Information Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1560059 Sample: 1.e.msi Startdate: 21/11/2024 Architecture: WINDOWS Score: 64 29 Suricata IDS alerts for network traffic 2->29 31 Yara detected DanaBot stealer dll 2->31 33 PE file has a writeable .text section 2->33 6 msiexec.exe 107 64 2->6         started        9 msiexec.exe 3 2->9         started        process3 file4 15 C:\Users\user\AppData\...\vcruntime140.dll, PE32 6->15 dropped 17 C:\Users\user\AppData\...\vccorlib140.dll, PE32 6->17 dropped 19 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 6->19 dropped 21 16 other files (none is malicious) 6->21 dropped 11 DiffDog.exe 31 6->11         started        process5 dnsIp6 23 185.81.114.227, 443, 49747, 49751 HZ-NL-ASGB United Kingdom 11->23 25 23.227.178.53, 443, 49748, 49752 HVC-ASUS United States 11->25 27 3 other IPs or domains 11->27 35 May use the Tor software to hide its network traffic 11->35 signatures7

            Screenshots

            Download Video

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            No Antivirus matches

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\CES_PlugInHost.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\concrt140.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\icudt58.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\icuin58.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\libpng16.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\mfc140u.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_1.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_2.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_atomic_wait.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_codecvt_ids.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\sqlite3.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\ucrtbase.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\vccorlib140.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\vcruntime140.dll0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.firebirdsql.org/en/odbc-driver/0%Avira URL Cloudsafe
            http://www.xbrl.org/2010/function/formula0%Avira URL Cloudsafe
            http://www.opengis.net/gml/3.3/xer0%Avira URL Cloudsafe
            http://www.altova.com/dictionaries0%Avira URL Cloudsafe
            http://www.altova.com/samplexml/other-namespacehttp://www.altova.com/samplexml/another-namespaceauto0%Avira URL Cloudsafe
            http://www.altova.com/xml-schema-extensions0%Avira URL Cloudsafe
            http://www.altova.com/en-us0.10.010.0010.00010.000010.0000010.00000010.000000010.0000000010.000000000%Avira URL Cloudsafe
            http://xmlns.oracle.com/xdbsqlxmlxmlns:sqlxmlhttp://www.iso-standards.org/mra/9075/2001/12/sqlxml0%Avira URL Cloudsafe
            http://www.iso-standards.org/mra/9075/2001/12/sqlxml0%Avira URL Cloudsafe
            http://www.xbrl.org/2003/XLink0%Avira URL Cloudsafe
            http://www.xbrl.org/2003/instance0%Avira URL Cloudsafe
            http://www.opengis.net/gml/3.3/lrtr0%Avira URL Cloudsafe
            https://link.altova.com/support_getfreeauthentic.asp?licenselocald:0%Avira URL Cloudsafe
            http://www.opengis.net/gml/3.20%Avira URL Cloudsafe
            https://link.altova.com/liveupdate.aspLicManRefererhttps://0%Avira URL Cloudsafe
            http://www.xbrl.org/2003/XLinkhttp://xbrl.org/2005/xbrldthttp://xbrl.org/2006/xbrldihttp://www.w3.or0%Avira URL Cloudsafe
            http://www.altova.com/samplexml/another-namespace0%Avira URL Cloudsafe
            https://www.altova.com/smp0%Avira URL Cloudsafe
            http://www.altova.com/samplexml/other-namespace0%Avira URL Cloudsafe
            https://link.staging.vie.altova.com/api/package-manager/v1/bootstrap00%Avira URL Cloudsafe
            http://www.xbrl.org/2003/linkbase0%Avira URL Cloudsafe
            http://www.altova.com/mapforce0%Avira URL Cloudsafe
            https://www.altova.com/support</a>0%Avira URL Cloudsafe
            http://www.altova.com/catalog_extspy:specification_catalogspy:keepProxypublicIdrewriteURIuriStartStr0%Avira URL Cloudsafe
            http://www.altova.com/xml-schema-extensionsexample(0%Avira URL Cloudsafe
            http://www.opengis.net/gml/3.3/rgrid0%Avira URL Cloudsafe
            http://www.xmlspy.com)0%Avira URL Cloudsafe
            http://www.altova.com/0%Avira URL Cloudsafe
            http://www.xbrl.org/2013/inlineXBRL0%Avira URL Cloudsafe
            https://www.altova.com/privacy0%Avira URL Cloudsafe
            http://www.altova.com0%Avira URL Cloudsafe
            http://html4/loose.dtd0%Avira URL Cloudsafe
            http://www.altova.com80%Avira URL Cloudsafe
            https://www.altova.com/privacy.html0%Avira URL Cloudsafe
            https://link.altova.com/api/0%Avira URL Cloudsafe
            https://link.staging.vie.altova.com/api/package-manager/v1/bootstrap0%Avira URL Cloudsafe
            https://www.altova.com/smp</a>.0%Avira URL Cloudsafe
            http://www.opengis.net/gml/3.3/lro0%Avira URL Cloudsafe
            https://downloads.mariadb.org/connector-odbc/0%Avira URL Cloudsafe
            http://www.wapforum.org/2001/wml0%Avira URL Cloudsafe
            https://www.altova.com/manualonlineHelpServer%s/%s/%s/%s.%s/HelpTopicIds.jsonhelpTopicIdFileonlineHe0%Avira URL Cloudsafe
            http://.css0%Avira URL Cloudsafe
            http://www.opengis.net/gml/3.3/lrov0%Avira URL Cloudsafe
            https://link.altova.com/api/package-manager/v1/telemetry0%Avira URL Cloudsafe
            https://link.altova.com/liveupdate.asp0%Avira URL Cloudsafe
            http://www.altova.com/Access-Database-OLEDB-32bit-64bit.html0%Avira URL Cloudsafe

            Domains and IPs

            Download Network PCAP: filteredfull

            Contacted Domains

            No contacted domains info
            NameSourceMaliciousAntivirus DetectionReputation
            http://www.altova.com/en-us0.10.010.0010.00010.000010.0000010.00000010.000000010.0000000010.00000000DiffDog.exe, 00000005.00000000.42478381349.0000000002A1C000.00000002.00000001.01000000.00000004.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.xbrl.org/2003/XLinkDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.altova.com/dictionariesDiffDog.exe, 00000005.00000003.42486752223.0000000008E07000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.xbrl.org/2010/function/formulaDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://xbrl.org/2008/filter/periodDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
              		high
              http://www.altova.com/xml-schema-extensionsDiffDog.exe, 00000005.00000000.42478381349.0000000002A1C000.00000002.00000001.01000000.00000004.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.firebirdsql.org/en/odbc-driver/DiffDog.exe, 00000005.00000000.42480630819.0000000003C0A000.00000002.00000001.01000000.00000004.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.opengis.net/gml/3.3/xerDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://xbrl.org/2010/filter/concept-relationDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                		high
                http://www.iso-standards.org/mra/9075/2001/12/sqlxmlDiffDog.exe, 00000005.00000003.42485560784.00000000046F5000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://xbrl.org/2008/filter/match/errorDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                  		high
                  http://xmlns.oracle.com/xdbsqlxmlxmlns:sqlxmlhttp://www.iso-standards.org/mra/9075/2001/12/sqlxmlDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.altova.com/samplexml/other-namespacehttp://www.altova.com/samplexml/another-namespaceautoDiffDog.exe, 00000005.00000000.42478381349.0000000002A1C000.00000002.00000001.01000000.00000004.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://xbrl.org/2010/custom-functionDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                    		high
                    http://xbrl.org/2010/filter/aspect-cover/errorDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                      		high
                      http://xbrl.org/2008/filter/dimension/errorDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                        		high
                        http://xbrl.org/2008/generic/errorDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                          		high
                          https://curl.se/docs/hsts.htmlDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                            		high
                            http://www.xbrl.org/2003/instanceDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://xbrl.org/2008/filter/concept/errorDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                              		high
                              http://xbrl.org/2010/message/validationDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                		high
                                http://www.opengis.net/gml/3.2DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://link.altova.com/liveupdate.aspLicManRefererhttps://DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://xbrl.org/2008/filter/relative/errorDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                  		high
                                  https://link.altova.com/support_getfreeauthentic.asp?licenselocald:DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.opengis.net/gml/3.3/lrtrDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://xbrl.org/2008/filter/booleanDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                    		high
                                    http://www.altova.com/samplexml/another-namespaceDiffDog.exe, 00000005.00000000.42478381349.0000000002A1C000.00000002.00000001.01000000.00000004.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.xbrl.org/2003/XLinkhttp://xbrl.org/2005/xbrldthttp://xbrl.org/2006/xbrldihttp://www.w3.orDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.altova.com/smpDiffDog.exe, 00000005.00000003.42486652916.0000000008E48000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.altova.com/samplexml/other-namespaceDiffDog.exe, 00000005.00000000.42478381349.0000000002A1C000.00000002.00000001.01000000.00000004.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.openai.com/DiffDog.exe, 00000005.00000003.42486851804.0000000008E1A000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/soap/encoding/DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                        		high
                                        http://xbrl.org/2008/filter/period/errorDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                          		high
                                          http://www.postgresql.org/ftp/odbc/versions/DiffDog.exe, 00000005.00000000.42480630819.0000000003C0A000.00000002.00000001.01000000.00000004.sdmpfalse
                                            		high
                                            http://xbrl.org/2008/filter/dimensionDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                              		high
                                              http://xbrl.org/2008/variable/errorDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                		high
                                                http://xbrl.org/2013/versioning-baseDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                  		high
                                                  http://xbrl.org/2008/validationDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                    		high
                                                    https://link.staging.vie.altova.com/api/package-manager/v1/bootstrap0DiffDog.exe, 00000005.00000003.42485560784.00000000046F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://xbrl.org/2008/filter/conceptDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                      		high
                                                      https://curl.se/docs/alt-svc.htmlDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                        		high
                                                        http://xbrl.org/2008/filter/matchDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                          		high
                                                          http://xbrl.org/2008/filter/generalDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                            		high
                                                            http://www.xbrl.org/2003/linkbaseDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://xbrl.org/2008/assertion/consistencyDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                              		high
                                                              http://xbrl.org/2008/formula/errorDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                		high
                                                                http://www.opengis.net/gml/3.3/rgridDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://xbrl.org/2010/filter/concept-relation/errorDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                  		high
                                                                  http://www.rfc-editor.org/rfc/bcp/bcp47.txtDiffDog.exe, 00000005.00000000.42480630819.00000000034B2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                    		high
                                                                    http://xbrl.org/2008/filter/segment-scenario/errorDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                      		high
                                                                      http://xbrl.org/2008/variable/aspectTestDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                        		high
                                                                        https://www.altova.com/support</a>DiffDog.exe, 00000005.00000000.42480630819.0000000003C0A000.00000002.00000001.01000000.00000004.sdmp, DiffDog.exe, 00000005.00000000.42480630819.00000000034B2000.00000002.00000001.01000000.00000004.sdmp, DiffDog.exe, 00000005.00000003.42486752223.0000000008E07000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42486851804.0000000008E1A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://xbrl.org/2010/filter/aspect-coverDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                          		high
                                                                          http://www.altova.com/mapforceDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://schemas.xmlsoap.org/wsdl/http/DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                            		high
                                                                            http://xbrl.org/2008/filter/entity/errorDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                              		high
                                                                              http://xbrl.org/2008/reference/errorDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                		high
                                                                                http://dev.mysql.com/downloads/connector/odbcDiffDog.exe, 00000005.00000000.42480630819.0000000003C0A000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/wsdl/DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                    		high
                                                                                    http://www.altova.com/xml-schema-extensionsexample(DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://www.altova.com/catalog_extspy:specification_catalogspy:keepProxypublicIdrewriteURIuriStartStrDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://www.xmlspy.com)DiffDog.exe, 00000005.00000000.42480630819.00000000034B2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://www.altova.com/privacyDiffDog.exe, 00000005.00000003.42486851804.0000000008E1A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://www.altova.com/DiffDog.exe, 00000005.00000000.42478381349.0000000002A1C000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://www.xbrl.org/2013/inlineXBRLDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://www.openai.com/</a>.DiffDog.exe, 00000005.00000000.42480630819.0000000003C0A000.00000002.00000001.01000000.00000004.sdmp, DiffDog.exe, 00000005.00000000.42480630819.00000000034B2000.00000002.00000001.01000000.00000004.sdmp, DiffDog.exe, 00000005.00000003.42486752223.0000000008E07000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42486851804.0000000008E1A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/wsdl/mime/DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                        		high
                                                                                        http://www.altova.comDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmp, sqlite3.dll.1.drfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://www.altova.com8DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://html4/loose.dtdDiffDog.exe, 00000005.00000003.42520499388.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42519322816.000000000EF47000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42517780192.000000000D4F6000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42514150305.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42521864806.000000000FA6F000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42515660543.000000000F4D2000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42522963535.000000000FFF7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://www.altova.com/privacy.htmlDiffDog.exe, 00000005.00000003.42486752223.0000000008E07000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42486851804.0000000008E1A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://link.staging.vie.altova.com/api/package-manager/v1/bootstrapDiffDog.exe, 00000005.00000003.42485560784.00000000046F5000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://portal.azure.com/DiffDog.exe, 00000005.00000003.42486652916.0000000008E48000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://downloads.mariadb.org/connector-odbc/DiffDog.exe, 00000005.00000000.42480630819.0000000003C0A000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://link.altova.com/api/DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://www.altova.com/smp</a>.DiffDog.exe, 00000005.00000000.42480630819.0000000003C0A000.00000002.00000001.01000000.00000004.sdmp, DiffDog.exe, 00000005.00000000.42480630819.00000000034B2000.00000002.00000001.01000000.00000004.sdmp, DiffDog.exe, 00000005.00000003.42486752223.0000000008E07000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42486851804.0000000008E1A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://www.opengis.net/gml/3.3/lroDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://xbrl.org/2008/filter/valueDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                            		high
                                                                                            http://xbrl.org/2010/messageDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                              		high
                                                                                              http://www.wapforum.org/2001/wmlDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://xbrl.org/2008/assertion/valueDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/soap/envelope/DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                  		high
                                                                                                  https://www.altova.com/manualonlineHelpServer%s/%s/%s/%s.%s/HelpTopicIds.jsonhelpTopicIdFileonlineHeDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://xbrl.org/2008/filter/value/errorDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.opengis.net/gml/3.3/lrovDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://xbrl.org/2008/filter/tuple/errorDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                      		high
                                                                                                      https://link.altova.com/liveupdate.aspDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://link.altova.com/api/package-manager/v1/telemetryDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://xbrl.org/2005/xbrldtDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                        		high
                                                                                                        http://xbrl.org/2008/filter/unitDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                          		high
                                                                                                          http://xbrl.org/2010/custom-function/errorDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                            		high
                                                                                                            http://xbrl.org/2008/assertion/existenceDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                              		high
                                                                                                              http://.cssDiffDog.exe, 00000005.00000003.42520499388.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42519322816.000000000EF47000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42517780192.000000000D4F6000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42514150305.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42521864806.000000000FA6F000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42515660543.000000000F4D2000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42522963535.000000000FFF7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://www.altova.com/Access-Database-OLEDB-32bit-64bit.htmlDiffDog.exe, 00000005.00000003.42486652916.0000000008E48000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000000.42480630819.0000000003C0A000.00000002.00000001.01000000.00000004.sdmp, DiffDog.exe, 00000005.00000000.42480630819.00000000034B2000.00000002.00000001.01000000.00000004.sdmp, DiffDog.exe, 00000005.00000003.42486752223.0000000008E07000.00000004.00000020.00020000.00000000.sdmp, DiffDog.exe, 00000005.00000003.42486851804.0000000008E1A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://xbrl.org/2005/xbrldi/errorsDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                                		high
                                                                                                                http://xbrl.org/2006/xbrldiDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://xbrl.org/2010/variable/instanceDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/wsdl/soap/DiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://xbrl.org/2008/filter/unit/errorDiffDog.exe, 00000005.00000000.42478381349.00000000026D2000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                                        		high

                                                                                                                        World Map of Contacted IPs

                                                                                                                        • No. of IPs < 25%
                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                        • 75% < No. of IPs

                                                                                                                        Public IPs

                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                        8.8.8.8
                                                                                                                        		unknownUnited States
                                                                                                                        		15169GOOGLEUSfalse
                                                                                                                        185.174.135.68
                                                                                                                        		unknownIran (ISLAMIC Republic Of)
                                                                                                                        		24768ALMOUROLTECPTtrue
                                                                                                                        148.251.107.246
                                                                                                                        		unknownGermany
                                                                                                                        		24940HETZNER-ASDEtrue
                                                                                                                        185.81.114.227
                                                                                                                        		unknownUnited Kingdom
                                                                                                                        		59711HZ-NL-ASGBtrue
                                                                                                                        23.227.178.53
                                                                                                                        		unknownUnited States
                                                                                                                        		29802HVC-ASUStrue

                                                                                                                        General Information

                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                        Analysis ID:1560059
                                                                                                                        Start date and time:2024-11-21 11:22:33 +01:00
                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                        Overall analysis duration:0h 8m 3s
                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                        Report type:full
                                                                                                                        Cookbook file name:default.jbs
                                                                                                                        Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                                                        Run name:Potential for more IOCs and behavior
                                                                                                                        Number of analysed new started processes analysed:6
                                                                                                                        Number of new started drivers analysed:0
                                                                                                                        Number of existing processes analysed:0
                                                                                                                        Number of existing drivers analysed:0
                                                                                                                        Number of injected processes analysed:0
                                                                                                                        Technologies:
                                                                                                                        • EGA enabled
                                                                                                                        • AMSI enabled
                                                                                                                        Analysis Mode:default
                                                                                                                        Analysis stop reason:Timeout
                                                                                                                        Sample name:1.e.msi
                                                                                                                        Detection:MAL
                                                                                                                        Classification:mal64.troj.evad.winMSI@4/58@0/5
                                                                                                                        Cookbook Comments:
                                                                                                                        • Found application associated with file extension: .msi
                                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, VSSVC.exe, svchost.exe
                                                                                                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                        • VT rate limit hit for: 1.e.msi

                                                                                                                        Simulations

                                                                                                                        Behavior and APIs

                                                                                                                        TimeTypeDescription
                                                                                                                        05:25:27API Interceptor1190x Sleep call for process: DiffDog.exe modified

                                                                                                                        Joe Sandbox View / Context

                                                                                                                        IPs

                                                                                                                        No context

                                                                                                                        Domains

                                                                                                                        No context

                                                                                                                        ASNs

                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                        ALMOUROLTECPTPedido de Cota#U00e7#U00e3o-241107.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                        • 94.46.181.151
                                                                                                                        http://loginmcsoftmlcrosoftoni365.madrides.copypremium.com/?reactivador/ahora0D1%20/=YWxvbnNvYmFAbWFkcmlkLmVzGet hashmaliciousUnknownBrowse
                                                                                                                        • 94.46.180.190
                                                                                                                        mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                        • 185.174.135.118
                                                                                                                        xmpsl.elfGet hashmaliciousUnknownBrowse
                                                                                                                        • 185.174.135.118
                                                                                                                        ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                        • 185.174.135.118
                                                                                                                        mpsl.elfGet hashmaliciousUnknownBrowse
                                                                                                                        • 185.174.135.118
                                                                                                                        http://360mozambique.com/Get hashmaliciousUnknownBrowse
                                                                                                                        • 130.185.81.219
                                                                                                                        Remittance_Advise_03092024.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                                                        • 130.185.87.6
                                                                                                                        nested-ConsultTrustNorth-payment Requisition #42 3L# 1414 18 Dock.pdf..emlGet hashmaliciousUnknownBrowse
                                                                                                                        • 94.46.22.222
                                                                                                                        HETZNER-ASDEexe009.exeGet hashmaliciousEmotetBrowse
                                                                                                                        • 195.201.56.70
                                                                                                                        owari.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                        • 195.201.30.54
                                                                                                                        ________.exeGet hashmaliciousQuasarBrowse
                                                                                                                        • 195.201.57.90
                                                                                                                        bPRQRIfbbq.exeGet hashmaliciousUnknownBrowse
                                                                                                                        • 95.216.12.30
                                                                                                                        bPRQRIfbbq.exeGet hashmaliciousUnknownBrowse
                                                                                                                        • 168.119.160.252
                                                                                                                        AD6dpKQm7n.exeGet hashmaliciousUnknownBrowse
                                                                                                                        • 144.76.175.205
                                                                                                                        AD6dpKQm7n.exeGet hashmaliciousUnknownBrowse
                                                                                                                        • 195.201.9.37
                                                                                                                        ickTGSF56D.exeGet hashmaliciousUnknownBrowse
                                                                                                                        • 185.229.90.81
                                                                                                                        ickTGSF56D.exeGet hashmaliciousUnknownBrowse
                                                                                                                        • 91.107.171.171
                                                                                                                        HZ-NL-ASGBJGWfssorui.dllGet hashmaliciousDanaBotBrowse
                                                                                                                        • 185.117.90.36
                                                                                                                        ElTZP4yjRG.dllGet hashmaliciousDanaBotBrowse
                                                                                                                        • 185.117.90.36
                                                                                                                        H6PtrbXJ9Q.dllGet hashmaliciousDanaBotBrowse
                                                                                                                        • 185.117.90.36
                                                                                                                        JGWfssorui.dllGet hashmaliciousDanaBotBrowse
                                                                                                                        • 185.117.90.36
                                                                                                                        ElTZP4yjRG.dllGet hashmaliciousDanaBotBrowse
                                                                                                                        • 185.117.90.36
                                                                                                                        H6PtrbXJ9Q.dllGet hashmaliciousDanaBotBrowse
                                                                                                                        • 185.117.90.36
                                                                                                                        Mj1o4aZG6y.dllGet hashmaliciousDanaBotBrowse
                                                                                                                        • 185.117.90.36
                                                                                                                        OYGqoSlvmi.dllGet hashmaliciousDanaBotBrowse
                                                                                                                        • 185.117.90.36
                                                                                                                        Mj1o4aZG6y.dllGet hashmaliciousDanaBotBrowse
                                                                                                                        • 185.117.90.36

                                                                                                                        JA3 Fingerprints

                                                                                                                        No context

                                                                                                                        Dropped Files

                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                        C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\CES_PlugInHost.dllyJYNZgoiNh.msiGet hashmaliciousDanaBot, RHADAMANTHYSBrowse

                                                                                                                          Created / dropped Files

                                                                                                                          C:\Config.Msi\813e7d.rbs

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:data
                                                                                                                          Category:modified
                                                                                                                          Size (bytes):14217
                                                                                                                          Entropy (8bit):5.796525177916396
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:Bm32izSLUIXIci0WGNL3U6yPaNwF2e6xlpU24CsThqHU24C6jRmAEThqaHnhwA9L:BmPSLUIXIcq2egi2PIB2PT2cL0pm
                                                                                                                          MD5:01E75F1B4BB6C87D1E9BE86422948883
                                                                                                                          SHA1:BFF1860DB5EC7FD8937344D084542CC6F973DC7A
                                                                                                                          SHA-256:52F403E330796A8AF8A3B5C8C8B84B19CA91FD63DDAA39887E7877704AA19AAC
                                                                                                                          SHA-512:23A5298B26435D5CE40EFDAAC64B56DF0B2100443E5BF748E865737F4C56F121619849659582377ADECF2471B6FA973A3AB64651917169D97C58414A1EA0D080
                                                                                                                          Malicious:false
                                                                                                                          Reputation:low
                                                                                                                          Preview:...@IXOS.@.....@.+uY.@.....@.....@.....@.....@.....@......&.{494D20A3-04AB-4FD6-8901-F174670D563F}..MotiveWave Proffesional..1.e.msi.@.....@.....@.....@........&.{AE533901-3C2C-472E-962D-EC625A769D04}.....@.....@.....@.....@.......@.....@.....@.......@......MotiveWave Proffesional......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{E25DC234-7628-6376-8C4F-A0A9098FCA45}&.{494D20A3-04AB-4FD6-8901-F174670D563F}.@......&.{D68C2780-F9C3-81E8-0F41-7C694D8990E4}&.{494D20A3-04AB-4FD6-8901-F174670D563F}.@......&.{CAB78203-16F2-2578-2018-CE2829DF386C}&.{494D20A3-04AB-4FD6-8901-F174670D563F}.@......&.{3F182DF9-CF16-E26C-D6D5-EEEC3DE9133D}&.{494D20A3-04AB-4FD6-8901-F174670D563F}.@......&.{5AB29011-62BD-1767-4357-5685FD119F8C}&.{494D20A3-04AB-4FD6-8901-F174670D563F}.@......&.{DE3E957E-08CD-F98F-6829-831E651A10C9}&.{494D20A3-04AB-4FD6-8901-F174670D563F}.@......&.{49EF81A1-5FAD-FFDD-FB1F-5B7C47D4205C}&.{

                                                                                                                          C:\Users\user\AppData\LocalLow\Intel\ShaderCache\2c4f7bd67e2e7dca9d6a5efbeee3b97634fffb0b51270739310f62f6c3aa60a0

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):26
                                                                                                                          Entropy (8bit):3.873140679513132
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:tAvnXVG8d:tgXVVd
                                                                                                                          MD5:2DE2373EF07261CAC4D4BF7D3FE31122
                                                                                                                          SHA1:8A5BD414AFD96AFAED4EB413D033240BC6A71C94
                                                                                                                          SHA-256:F6F219ED2C4029EBC3071C036B64113AA62A7A342D2FD5965FD122D5C90BC9BC
                                                                                                                          SHA-512:AF4CACDD0A501DCB37318FA9E5B7049AFEB8E0EE6EB0770F0B013C70E32123FA45C1508DD12921C909C0C9F88AC8A2F3041A16747E5FF145B4FB15E8509DB105
                                                                                                                          Malicious:false
                                                                                                                          Reputation:moderate, very likely benign file
                                                                                                                          Preview:INSC.>.....Mar222021150038

                                                                                                                          C:\Users\user\AppData\LocalLow\Intel\ShaderCache\f5475abb762c777fabfb70720cc20ec89eae5e2332e1546009885472bb81dd92

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):26
                                                                                                                          Entropy (8bit):3.873140679513132
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:tAvnXVG8d:tgXVVd
                                                                                                                          MD5:2DE2373EF07261CAC4D4BF7D3FE31122
                                                                                                                          SHA1:8A5BD414AFD96AFAED4EB413D033240BC6A71C94
                                                                                                                          SHA-256:F6F219ED2C4029EBC3071C036B64113AA62A7A342D2FD5965FD122D5C90BC9BC
                                                                                                                          SHA-512:AF4CACDD0A501DCB37318FA9E5B7049AFEB8E0EE6EB0770F0B013C70E32123FA45C1508DD12921C909C0C9F88AC8A2F3041A16747E5FF145B4FB15E8509DB105
                                                                                                                          Malicious:false
                                                                                                                          Reputation:moderate, very likely benign file
                                                                                                                          Preview:INSC.>.....Mar222021150038

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\Asset.wav

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 44100 Hz
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3294764
                                                                                                                          Entropy (8bit):7.496644508270185
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:B3MSGT5V5gjv0clnTVh5snYWyvKIQIBayw6argJVebvpcOtov6:WSmV5gbFlnBh5pHSIQI1x8bhcOtc
                                                                                                                          MD5:BCFAF0B488D6F9202E19DA2AF421295C
                                                                                                                          SHA1:31CB4E8451DA080447AD24F020642D234CFD9C3F
                                                                                                                          SHA-256:1EBC3E97D024B35FBD06D88CA73111C40C18A0F7F538E301C1C59D0CF5E76C73
                                                                                                                          SHA-512:55E585799C29DFA5DD77285AD09CC52D9C99E6D2324FCB76FA0F0D80DB7A0AFB7ABAEA0D1548625FEB8E2E6775271A4D5A903ECA85D334C72B4B4E4CEFE8F76F
                                                                                                                          Malicious:false
                                                                                                                          Reputation:low
                                                                                                                          Preview:RIFF$F2.WAVEfmt ........D...........data.F2.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\Assets\DiffDog.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PNG image data, 256 x 256, 8-bit/color RGB, non-interlaced
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6964
                                                                                                                          Entropy (8bit):7.888302991768184
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:u3ctrnjvx0h0ZhMFjt6yAOPlO/oupwXnqMli5Y:uYrjvxm0cFZU/PwXLlAY
                                                                                                                          MD5:EA257A08F4311B77D02F0DBA3F1734CC
                                                                                                                          SHA1:D4D7A73A562D3FA9986C47EED0E172CD7D583FA4
                                                                                                                          SHA-256:20AB1C341364D83285C82DE62408796667CBA9BE7AE65C915D4E1E12EF7AD97B
                                                                                                                          SHA-512:E69EDD5004252E0B9F42510BC428573E2F249CDE3622784B14F0AE1830FAC7ED44457726F4C411D2AC4F9DEF0DFFD85FEC6EAAD55041E0B4F86E4738412C5FF4
                                                                                                                          Malicious:false
                                                                                                                          Preview:.PNG........IHDR...............?1....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.mPTW......6t...@..AA!+.G2%.;&~l...h.n..l.&.j2.1..GjcM.GfR.'U;)M....-......B*.........A.n".((.I.m..t7..=..s.y...=.G....=.|<....?. ....'.(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(.......I.....]..........Y...Z..L....h..x.X.761.;L.g...t.$...8.................p........8..0>.gM...d:P..@.C.k...Q.U.pe8A...eH...4.M}.M}..}<4..*r.+r..(P.]@*.A.....G.$!..a.@..."....R.U....fBY.".V.. 6P.....\...Jg.`."(.......t....g-.'+/.4Ps@@....C............R......?r.....<...U.X......`.'@.........6c.O.h.....I.r.`..,........*.<R....W..2"...."..o.........x.e.TSn......r..#..<.A.i..\.~.J{dD6..wi..{g0..dD.....A..`.........2..o.c.....v.Q%oU`C..\.?z.4..Tm_Y.c%iH......:~....,...K..#..=.....[..R.o.\.M.h.....gH......V..ev...{gpU.P..[.m.Z......._Xd).$......SJm.......6...`.+...R..../..3.....H[<...._..w@2.0.eDd.d. .s...0.eDX.......P.3Y..S.

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\CES_PlugInHost.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):793896
                                                                                                                          Entropy (8bit):6.361162287984917
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:jS7GF1lwwJ5Pb6DCgog1POF+/Iox3xqmodIgysRl38sWKLlWCRFR0eQdzOaGaMiQ:jSypS7sRl38VKLlWC/R2d9GTiJKDBWWT
                                                                                                                          MD5:49CE1F597A415370D85C1BF7AA9C8C56
                                                                                                                          SHA1:5F98F65879D3701D9E1BDB5F68B02F59F5020F55
                                                                                                                          SHA-256:6CAF24C107B6D10504E73DEC841C4169D5F5A4D366B699402C8D2A51E877032E
                                                                                                                          SHA-512:1B730E43311808105F39273A5A940BBECCDDD22058F3046BE5771F9AC51B5A2E372774026EE79BF38261BD6026CF9B4EB0260075EBDE932C5687720C80BDBA6A
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Joe Sandbox View:
                                                                                                                          • Filename: yJYNZgoiNh.msi, Detection: malicious, Browse
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........-@n|~@n|~@n|~..~An|~^<.~Bn|~...~in|~...~.n|~...~zn|~I..~Qn|~@n}~.n|~@n|~cn|~...~An|~...~An|~...~An|~Rich@n|~........................PE..L.....*Z...........!.....&...................@...............................`......-|....@..........................1..S....!..........................(3......$U...C..8...............................@............@...............................text............................... ....text1..4.... ... .................. ..`.rdata.......@.......*..............@..@.data...8b...@...8..................@....data1...........0...T..............@..._RDATA..@...........................@..@.rsrc...............................@..@.reloc...[.......\..................@..B........................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\Catalog.xsd

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8041
                                                                                                                          Entropy (8bit):4.9565671053416755
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:aLGVxrHPu3Wds+i9AcE0y0U0p0q0u0i0z0k70b0E0zHPu3Wds+i9Uf:a6xrHPu3Wds+i9AcE0y0U0p0q0u0i0z5
                                                                                                                          MD5:6C0B3D979D22421930C9B239EB07E475
                                                                                                                          SHA1:915AB07AFFBC8BC6C49FBC9130A9365D03D18E84
                                                                                                                          SHA-256:A45D1CBFA731390FC62804D2D2C22C31AE9F1B8F77EB93ECB47900F4F1C481B5
                                                                                                                          SHA-512:2AC395450F9C6D1BD72BB677681558FBADD0F41ED1CB9A49F400C333C270842544FBAAB2DE2C6A4E525D3E51D01D227A0F0BD22609903EEBD89DB865F944F188
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:er="urn:oasis:names:tc:entity:xmlns:xml:catalog" targetNamespace="urn:oasis:names:tc:entity:xmlns:xml:catalog" elementFormDefault="qualified">... $Id: catalog.xsd,v 1.15 2005/10/07 13:27:08 ndw Exp $ -->...<xs:simpleType name="pubIdChars">....<xs:restriction base="xs:string">.....<xs:pattern value="[a-zA-Z0-9\-'\(\)+,./:=?;!*#@$_%]*"/>....</xs:restriction>.... A string of the characters defined as pubIdChar in production 13.. of the Second Edition of the XML 1.0 Recommendation. Does not include.. the whitespace characters because they're normalized by XML parsing. -->...</xs:simpleType>...<xs:simpleType name="publicIdentifier">....<xs:restriction base="er:pubIdChars"/>...</xs:simpleType>...<xs:simpleType name="partialPublicIdentifier">....<xs:restriction base="er:pubIdChars"/>...</xs:simpleType>...<xs:simpleType name="systemOrPublic">....<xs:restriction base="xs:

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\CoreCatalog.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):613
                                                                                                                          Entropy (8bit):5.094466343717647
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:TMHdffwQKY8i9zfcIB1FfsJySbxSKhx3xSKc6fU:2dfR8K0AgySdPxBW6fU
                                                                                                                          MD5:82C475E52E98D51397AB41136B92DA61
                                                                                                                          SHA1:6BE18BD43EA1423930FB26B70B3C5685674ABC20
                                                                                                                          SHA-256:57DCD5CE9C45E8DF9944F39D1B3F2884264981FFCFF9D07886C02879E770C7AA
                                                                                                                          SHA-512:14E74C40F8F3D08A1182393B273CFE448C038A31A6CA6F52D27A9F8BE3F825411630A860F999098637732212431DF436C054D2B6169B5CFBCCDA72BD76E196A5
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8"?>..<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog" xmlns:spy="http://www.altova.com/catalog_ext" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:entity:xmlns:xml:catalog..Catalog.xsd">... OASIS catalog -->...<uri name="urn:oasis:names:tc:entity:xmlns:xml:catalog" uri="Catalog.xsd"/>... Global remapping of folders -->...<rewriteURI uriStartString="http://www.altova.com/sps/" rewritePrefix="sps/"/>...<rewriteURI uriStartString="http://www.altova.com/stylesheets/" rewritePrefix="stylesheets/"/>..</catalog>..

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):56488784
                                                                                                                          Entropy (8bit):6.5969305669123806
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:786432:MyHtEcPdUNaQ7GQPgOwm/BLlu26kpzin9CRPsz51raPqP1b6aki5918ONqRxxsho:MyHtgaq3Llu26wQ9xz4TwKhvbXk8j
                                                                                                                          MD5:4725DA5F62C1456C206E15ED7FDFBE06
                                                                                                                          SHA1:C16D38C88FB83C659B0242319588F7A9EF84CB34
                                                                                                                          SHA-256:BD9167760C89CAC9EBDF0A683C2FA071699F7907B05097CB2F961D66E184A943
                                                                                                                          SHA-512:DB1B335FA7458D7F6A3FDB4732565B912F79D2A78FCE851982317F27EBDC4E76E85A7BBCC85AA5588FB15567FAA5991C465424F73E8EB1E5542ECF7A487A2A9F
                                                                                                                          Malicious:false
                                                                                                                          Preview:MZ......................@...................................h...........!..L.!This program cannot be run in DOS mode....$........4...U..U..U... ..U..-q.U..~)..U.....U...=..U..U..W...)..LW..~)..MU...)..U...<..U...-..U.....U.....U.....U......U...-..U...-..U...-...U..U..E.....U.......\......U......U..Rich.U..........................PE..L....e.g...............&.....6........Y...... ....@...........................g......]^...@... .............................d.D.$...................].P)...0I..`..x...T...............................@............ ..t<...........................text............................... ..`OTB................................. ..`.rdata..<.d.. ....d.................@..@.data...p.V...E..&M...E.............@....detourc.....P......................@..@.detourd.....p......................@....rsrc.............................@..@.reloc...`...0I..b...h?.............@..B........................................................................

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.inst

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3
                                                                                                                          Entropy (8bit):0.9182958340544896
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Fn:F
                                                                                                                          MD5:8F90D1880964B7959E49E2E8709BE70B
                                                                                                                          SHA1:49FCD181196FB550373E83D498CAFB2EAEE026CC
                                                                                                                          SHA-256:5DF748FD8E021B176386CEF8FC4920967EA2C9AB7CA615B013744C9A6614546C
                                                                                                                          SHA-512:3A3D2DB35C27B6DAA877E28B9D920D8B2CFCEC0DB30A5C897D2F1322540BD855FDD1C9662F119A9468F372F03A6E8334680A8CCDC704BCC93F30D58907913228
                                                                                                                          Malicious:false
                                                                                                                          Preview:DDP

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\Galleries\Firewall.db

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):5756600
                                                                                                                          Entropy (8bit):7.9993408402145345
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:98304:NbAhSufpPetrLukQdkGCzQCMTKPbolT+cCdqt1Zd/VGK5UOstmHcGBm/BmOGrWzF:Na9etvQyDtBhPqt1Zd0K6OSm8GcpmO4e
                                                                                                                          MD5:E0F09C38734FD0A9EB232CDE6E85DCB9
                                                                                                                          SHA1:93A1988A3B0C211FFCD00402E75AC7092F25A897
                                                                                                                          SHA-256:1ABA6FF4B2C920363A97151732F8EF89F16CDB0B798469A8860625FBD28AAA62
                                                                                                                          SHA-512:9E42667C3F5A4DD6996A9129F4264E1DC458124D6EE5869ADE04AB11EE7081BD53EC3B1716A1B930B4B2A5414EE304E03908C02B27E4DD8308D5DD6B43DFADC3
                                                                                                                          Malicious:false
                                                                                                                          Preview:...t.)...u...~..k.................................1012546698.?=<>+! #eDHKC[ANYqjF\4'2>9z34ZX[Z\\_^.ECBDLGFI|ryz{v}Ctsruuwvy.~z}}w~a`UR\]R^PZnjmlnn..c................o.......................R........................&.......................%..............................................................<>......:698::=<.;! "*%$'OG\NXCMC QPSSUTW.\X[[U\_^urzwwus.FHKJLLON.usrt|wvy........pcbeegfi.njmkgn..................w..................................................................c................S..................u.r.a.v.<.G.h.l.n.m.`.s.U.x.l.y.T0$254"698.<=<=.! #.%T'T)G+M-^/OQ=S6U5W"Y9[.]._+A3C-E*G#I<K.M8O/q.s.ulwvyx{z}.z~a`cbed~fihsjml.k..................................................=..............................................`...................|cxd'yp%)v/bdv{kspvs`a?.l?y.....103.0477.8;:.D._...`D.C....L..I.ebdb..gdjklj<.j.qw..psYFIHSJML.KqprPutw"5*..:*..,!$.?/+.'-S.[.%7....................................................................@.......

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\HelpTopicIds.json

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:JSON data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2485
                                                                                                                          Entropy (8bit):4.891927318351078
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:TYSHiPgfgFpY07uv97H9OwgIhoI+I8IxIyxH04BEzOGzG6T/8zAvzsFzRzizVzKh:TYSHRdRXjhy+3EjzTGALYJokyGZ
                                                                                                                          MD5:263B83458EF7864BF99A9B61DED01945
                                                                                                                          SHA1:C9B419F7D8601EAF496E016529678E48E1ECC67C
                                                                                                                          SHA-256:DFBC57396B4ED8C1A629F5116CE715B05D91E3F3B97D166E953143D1427C36A2
                                                                                                                          SHA-512:06DDCE927683B3AFED8B60B9F268CBFE440F5C733EA364E7C07788E096913EDC7D15D87CB71D72F608FE14F01F3535D5D6E64869D2E9508966CA032318C59331
                                                                                                                          Malicious:false
                                                                                                                          Preview:{..."Encoding": "xsmenufile_encoding",..."GotoLineChar": "xsmenuview_gotolinechar",..."XmlNamespacePrefix": "xsmenuxml_namespaceprefix",..."XmlSpySendByMail": "xsmenufile_sendbymail",..."XmlSpyProjectProperties": "xsmenuproject_properties",..."XmlSpyGenerateDtdSchema": "xsmenudtdschema_generatedtdschema",..."XmlSpyGenerateJsonSchema": "xsjson_generateschema",..."XmlSpyGenerateSampleXmlJsonFile": "xsmenudtdschema_gensamplexmljsonfile",..."XmlSpyConvertXmlJson": "xsmenuconvert_convertxml2json",..."XmlSpyConvertXmlSchemaJsonSchema": "xsmenuconvert_xmlschematojsonschema",..."XmlSpySettingsAIDialog": "xsmenutools_options_aiassistant",..."XmlSpySettingsFile": "xsmenutools_options_file",..."XmlSpySettingsFileExt": "xsmenutools_options_filetypes",..."XmlSpySettingsEncoding": "xsmenutools_options_encoding",..."XmlSpySettingsEditing": "xsmenutools_options_editing",..."XmlSpySettingsPrettyPrinting": "xsmenutools_options_prettyprinting",..."XmlSpySettingsValidation": "xsmenutools_options_validatio

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\PostSharp.Patterns.Model.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):881664
                                                                                                                          Entropy (8bit):6.692804515627905
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:Mkk9aXkf40dzsDa7cThcZezRN41jwrreyrXXkopp5v7XQuKX3Aor6Qx3V0U6OAQd:saKgrnewXkopp5jy3Ak6Qx3V0F4
                                                                                                                          MD5:88E91CFDFA4B6D3741C31B9FCB96DFB4
                                                                                                                          SHA1:8AC1059B04F32675FDF9F6D8A055C293C042C4E5
                                                                                                                          SHA-256:2F70FC194FCD522A1309456F36C45B2C7127D4691F5C8E1E1703C108BF53622D
                                                                                                                          SHA-512:E8B1DD5DD0781A2BCF4F39BC8ABECD4001019CCC4E4E029BD41264A528B0C4BF3EFA6E2CE49189D10135B6ACE423D9A1BF4AD4937A6D0A31E5CA435970DF3864
                                                                                                                          Malicious:false
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........V........................+...................................................@......................................................Rich............PE..L....3g...........!...).....X......V........0............................................@....................................d....P.......................`...[..........................@-......0,..@............0..t............................text...L........................... ..`.rdata..D....0......................@..@.data....b.......V..................@..._RDATA..0....@......................@..@.rsrc........P......................@..@.reloc...[...`...\..................@..B........................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\RootCatalog.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):745
                                                                                                                          Entropy (8bit):5.054457609544642
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:TMHdffwQKY8i9zfcIpWRtytlKHC1LP4pw6qbwkKyi:2dfR8K0vyZ1Em6qbwkI
                                                                                                                          MD5:1D3B96D9DDCE700679AC048EE1CEB71B
                                                                                                                          SHA1:094DD8CE7B65BE13000EF082F18E778686461F2C
                                                                                                                          SHA-256:3A90D85F1DE54984173FC282A061AC270126B6CE1AD0FDD407D6463DC526DE39
                                                                                                                          SHA-512:BB94713A577B19D3730C76BD15B61FAD7F3310C3A0B1DE1E67131D33DA57D11CDFF670C49CEA07824BEF2EB9739EF56005DDE01EAB994692AB1694FD1C820835
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8"?>..<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog" xmlns:spy="http://www.altova.com/catalog_ext" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:entity:xmlns:xml:catalog..Catalog.xsd">...<nextCatalog catalog="%PersonalFolder%/Altova/%AppAndVersionName%/CustomCatalog.xml"/> ... Include all catalogs under common schemas folder on the first directory level -->...<nextCatalog spy:recurseFrom="%CommonSchemasFolder%" catalog="catalog.xml" spy:depth="1"/>...<nextCatalog catalog="CoreCatalog.xml"/>...<nextCatalog spy:recurseFrom="%ApplicationWritableDataFolder%/pkgs/.xsd_cache" catalog="namespace-mapping-catalog.xml" spy:depth="0"/>..</catalog>..

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\Support.sav

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):5756378
                                                                                                                          Entropy (8bit):7.999340938398065
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:98304:qbAhSufpPetrLukQdkGCzQCMTKPbolT+cCdqt1Zd/VGK5UOstmHcGBm/BmOGrWz2:qa9etvQyDtBhPqt1Zd0K6OSm8GcpmO49
                                                                                                                          MD5:BD54D1044338266E31CFB70AD6317CB1
                                                                                                                          SHA1:E4C6D3B1C06ADCB2C269058E4E382BF186226824
                                                                                                                          SHA-256:5126D44DE7597BF37C7C9D0DA3740DF44FFC00D20F7462EBE5AD53112A52596A
                                                                                                                          SHA-512:0F4FBF6B0D61FB62FC15E20E294AD1047DB04130A45EC7018EEE0E05E8D2DE432A7F11859E68334428AE9CB96448001BDBAC032ABD384EB6F227C8C9199A59C3
                                                                                                                          Malicious:false
                                                                                                                          Preview:..j....p.O.e...~...................................1012546698.?=<>+! #eDHKC[ANYqjF\4'2>9z34ZX[Z\\_^.ECBDLGFI|ryz{v}Ctsruuwvy.~z}}w~a`UR\]R^PZnjmlnn..c................o.......................R........................&.......................%..............................................................<>......:698::=<.;! "*%$'OG\NXCMC QPSSUTW.\X[[U\_^urzwwus.FHKJLLON.usrt|wvy........pcbeegfi.njmkgn..................w..................................................................c................S..................u.r.a.v.<.G.h.l.n.m.`.s.U.x.l.y.T0$254"698.<=<=.! #.%T'T)G+M-^/OQ=S6U5W"Y9[.]._+A3C-E*G#I<K.M8O/q.s.ulwvyx{z}.z~a`cbed~fihsjml.k..................................................=..............................................`...................|cxd'yp%)v/bdv{kspvs`a?.l?y.....103.0477.8;:.D._...`D.C....L..I.ebdb..gdjklj<.j.qw..psYFIHSJML.KqprPutw"5*..:*..,!$.?/+.'-S.[.%7....................................................................@.......

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\concrt140.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):257616
                                                                                                                          Entropy (8bit):6.701518252422076
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:H3RC9MpwQGXL41H9UsWy64Q7WzB1XmrbB1+1FUqHHlsixuOdm12z/Nrv:XMdV4HXmrkRHNuOdjz
                                                                                                                          MD5:3D0EA6BA3551AEC4717AB2827319A741
                                                                                                                          SHA1:E1273BA1B3D6CDBF93C99B115EF8ACCD84568718
                                                                                                                          SHA-256:1573721C06F70D779F5AEBA175C039202069DA15D8526C3CE0C19B8C7FA985B1
                                                                                                                          SHA-512:BADE3D768BF435C0ADD77BA377866A59146D22E102932FBEAB08FC10B27B9F5BCC5375ED26EE48847FB57649D706FF2AD6192895780C6924E34CAA7FCCA3514A
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........z[.s)[.s)[.s)..r(Y.s)R..)Q.s)].r(^.s)[.r).s)].w(P.s)].p(\.s)].v(..s)].s(Z.s)]..)Z.s)].q(Z.s)Rich[.s)........PE..L...+............."!...&.&...x..............@......................................Jc....@A.............................K.. ...........................PP.......*...;..T...........................(;..@............................................text...\$.......&.................. ..`.data....4...@...2...*..............@....idata...............\..............@..@.rsrc................n..............@..@.reloc...*.......,...r..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\file_dirdif.ico

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:MS Windows icon resource - 6 icons, 16x16, 16 colors, 16x16, 8 bits/pixel
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):19030
                                                                                                                          Entropy (8bit):3.716507862178767
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:sgRODsZW6t7O/PW6DcrX1xzM1NYTmbHmEV68Y/O/c3mAL+y4EAb:s2OoZ7O3+xRwAL+ysb
                                                                                                                          MD5:9323BC80F5A18A056BCBD10831D91820
                                                                                                                          SHA1:2EF7269B341D18E80247F81C81DAA0D740E31FCE
                                                                                                                          SHA-256:34F7C8571EC1618EF30A9C9B0E82779C02AC8033301120EE321DF92685D8A26A
                                                                                                                          SHA-512:E3B1DA91310A0CDF1E99D41D415CC41D4546F8BFBC6F6FF9477CF780DE18A90F988DC0F6F2E36DFB15E521032209ACA65E09A40CA0345C8EB149BB7E722818D9
                                                                                                                          Malicious:false
                                                                                                                          Preview:..............(...f...........h....... .................... .h....... .... .........00.... ..%...$..(....... ...................................................................................................wwp....wwwwp...ww.uP...ww..W...w...U...ww..U...w.XUU...w..uW...uwXUP...uUUUp....uUp.........................................................................................................(....... ...........@........................1t...............................?}.................................................k...H...%............z...b...Js..2P.............k...Hs..%W...U...I...=...1...%s...P.............kk..HH..%%....................s...P.............k..sH..W%..U...I...=...1...%.s...P............k...H...%..........z...b...J.s.2.P..............k...H...%..................s.s.P.P..............k...H...%............z..5v.s.J.P.2.............n...Hs..%W...U...I...=...1.s.%.P..............kk..HH..%%.................s...P................k..sH..W%..U...I...=...1..s%..P.....

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\file_filedif.ico

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:MS Windows icon resource - 6 icons, 16x16, 16 colors, 16x16, 8 bits/pixel
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):19030
                                                                                                                          Entropy (8bit):3.6581828158068537
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:sLPODsZW6Ic7O/ZW6BvX11/g+NYTmWdmqV68Y/O/c3m0o7vCEAb:sLPOox7OxNZXw0o7vWb
                                                                                                                          MD5:BC7F04B672921472EF873A8BA8B43D17
                                                                                                                          SHA1:F649DC3FA6E10551C70B56B77284242B7CB9A243
                                                                                                                          SHA-256:5993FF64F1BE29483E7DAC836C052F7966639C9E1BE674576D1526F09B21BE1B
                                                                                                                          SHA-512:9E49ECE04919105AFFCBEDAED1CE184E9610C82620B6D8CDD6A21FF6BBD383F068DE31E673C7CBD4DE44630CF438A621DD4883D340C77B1C32B900B2B8E06509
                                                                                                                          Malicious:false
                                                                                                                          Preview:..............(...f...........h....... .................... .h....... .... .........00.... ..%...$..(....... ...................................................................................................wwp....wwwwp...ww.uP...ww..W...w...U...ww..U...w.XUU...w..uW...uwXUP...uUUUp....uUp.........................................................................................................(....... ...........@........................1t...............................?}.................................................k...H...%............z...b...Js..2P.............k...Hs..%W...U...I...=...1...%s...P.............kk..HH..%%....................s...P.............k..sH..W%..U...I...=...1...%.s...P............k...H...%..........z...b...J.s.2.P..............k...H...%..................s.s.P.P..............k...H...%............z..5v.s.J.P.2.............n...Hs..%W...U...I...=...1.s.%.P..............kk..HH..%%.................s...P................k..sH..W%..U...I...=...1..s%..P.....

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\icudt58.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):26217296
                                                                                                                          Entropy (8bit):6.145231105211082
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:393216:6yAzEe25BzFGsiXUx4YhMWljacUl2nAg9WbkntyemS/wo47Tt930PpUxQFV5eitR:0j2sj2
                                                                                                                          MD5:169A463A9455F425DB2FA780A4D0D09D
                                                                                                                          SHA1:20F595E9211407EAB1307295E950CE8FC8D0CC47
                                                                                                                          SHA-256:5F4863FB6528C22BAC7EAC7D61F28D77C1C373D0A63A9654EB98DF6855E874D1
                                                                                                                          SHA-512:90917354940A9275089DCCC9C129EB4B29684181894C43DD445F10922E6E5251C69BC980F1D079C2B6659E74AAA64E758ED5308C5F5DBA8C56F406834CED71D1
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=.kS..kS..kS..kS..kS..5S..kS..5...kS..5Q..kS.Rich.kS.PE..L....h.[...........!...............................J.................................]....@.........................p..L..............................P)..........P...............................................................................rdata.. .........................@..@.rsrc..............................@..@...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html .d...$k......4k.. ...Gk..p...Zk......kk..P....k.......k..p....k.......k... ...k... ...k...q...k..`q...k..Pr...l...r.."l...r..5l...t..Hl...t..[l..Pu..nl...u...l..0v...l...w...l...x...l..`y...l...y...l...{...l.. |...m..@~...m......,m..@...?m......Rm.....em......xm..P....m.......m.......m..P....m.......m..P....m.......m.......n..0....n..0...2n..

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\icuin58.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1853264
                                                                                                                          Entropy (8bit):6.683305360980674
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:6jotJw5htgCvLiFo/cR8miHghwAVrz+Xo6f6JMGeKpwHmKs:5tJw5ht7Loo/cqmY5AVr1Txe7s
                                                                                                                          MD5:EF34C5E58E3E617B9529F498AAADC535
                                                                                                                          SHA1:4FC1CE77A5EC9D3138A143049D8532C8D54138D0
                                                                                                                          SHA-256:DA9E7BB382F40DD0F513D3F2CBB876AC4768853D60509886C0FE262911194952
                                                                                                                          SHA-512:68E3D03D2E602173F257A62243419A593E0B58917CD33D725BEFBFDCFE7C0DB886479845B3B4FEC1CBD9395AE79A30A68A0CA38B3785A71933187E62BEB78934
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)...H...H...H...0...H... ...H... ...H... ...H... ...H... ...H...,...H...H...K... ...H... ..&H... ...H... c..H...H...H... ...H..Rich.H..................PE..L....h.[...........!.....B...........M.......`.....J.........................`......!C....@.........................@...@....'....... ..@...............P)...0...)...O..T...........................XO..@............`...............................text....@.......B.................. ..`.rdata..(X...`...Z...F..............@..@.data....U.......L..................@....rsrc...@.... ......................@..@.reloc...)...0...*..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\icuuc58.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1273168
                                                                                                                          Entropy (8bit):6.720729444538501
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:JJBEyK3E7XPEFs5dZvv3wxEQ8z3MkknPrMkkkskkkkkRkkkkkkkkkkkkkkkkkkkf:JJBEyKAXf5d2x6vd
                                                                                                                          MD5:25D1D25E5FA624F6719D84D298B623F4
                                                                                                                          SHA1:CD1A0F149AD047349BDE137B05F27143E1961700
                                                                                                                          SHA-256:C6C89D777220A3D62FB0F32DA2818FED0C8BCE5A5AC19BC69CAB2FEEACEAF96E
                                                                                                                          SHA-512:9258BC211149269627652A4925B0771B80AEF070C851F682D24AE00AA6D0609056B940B3815584CAB8AD723D4A732F9437BD8B57F354C639398DEF6E364512F6
                                                                                                                          Malicious:false
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........l...l...l....$..l......l......l......l......l......l......l...l..l......l.....hl......l...H..l...l ..l......l..Rich.l..........PE..L....h.[...........!.....4...................P.....J................................}.....@.........................@....%..............@............D..P)......<i..0H..T............................H..@............P...............................text....2.......4.................. ..`.rdata..X....P.......8..............@..@.data...............................@....rsrc...@...........................@..@.reloc..<i.......j..................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\jhelp1.1.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):19007536
                                                                                                                          Entropy (8bit):6.695946566681894
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:393216:3YB7yL7lQkdNyp0q70mCEZ8fmf2DuNp6mVOU3WfkT3ZMxXsp88SmgaIALdLmlkYz:IB7k7lK3tCEff2n
                                                                                                                          MD5:3D8CF3C555349DA1E690B115532C2388
                                                                                                                          SHA1:0892A7C9AC32E918CF228D3272BAD000828B792F
                                                                                                                          SHA-256:4EC2B0E2AC29FDDFCF205CE31AACDF7ED26AFB405BB282DB69A04024CC81276F
                                                                                                                          SHA-512:4A170D9E938E20680E9029C9612B55D5B1DF1D6875178A8246117F0D3DC89433AAF53EEE5A17899581CA6E86E64E70DF2975949BDC350B3C5B90C4C01C9E2D12
                                                                                                                          Malicious:false
                                                                                                                          Preview:MZ......................@...................................X...........!..L.!This program cannot be run in DOS mode....$.........V..8..8..8..;..8..=...8..+...8..+<..8..?..8..+;..8..+=.8.0-<.8.0-=...8.*=.u.8..8..8.*<..8.*=..8.*<..8..<...8..9..8..9.-.8.*1..8.*8..8.*...8.*:..8.Rich.8.........................PE..L....3g...........!...).....h......t.......................................7......%"...@.............................(...8...,.....1.8.............!.0.....1..9..........................@X...... W..@...........................................text...@......................... ..`.rdata..:.a......a................@..@.data...............................@..._RDATA...'....1..(..................@..@.rsrc...8.....1.....................@..@.reloc...9....1..:..................@..B........................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\libpng16.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):246608
                                                                                                                          Entropy (8bit):6.82880321579517
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:ylD2j2inC/u3q+vaQXbjVeSFBKsai7nHh:OKaIqdOReSvKsd7B
                                                                                                                          MD5:9112F8724F0036BC9354F1AE25856344
                                                                                                                          SHA1:CAD008D2D84AC173201105DB27A9DF29B66A5DEA
                                                                                                                          SHA-256:053A61026FC585261A0C6C66D8C9ADA80416AA812261FA7D591937C6737D26D9
                                                                                                                          SHA-512:021E70F07225DEEB28B632A5C688709548876131FA7FF58311C72489B5621A514A44707E27CA16E4ED283ABEBFE18653653499A345D811A0CCC355205ECDF3DD
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........50\XT^.XT^.XT^.Q,..VT^..(_.ZT^..,_.[T^.XT_.oT^..([.TT^..(Z.RT^..(].ZT^..(V.BT^..(^.YT^..(..YT^.XT..YT^..(\.YT^.RichXT^.................PE..L...).Pf...........!..."............=...............................................v.....@.........................0q......$...........................P)......@....l..p...........................(l..@............................................text............................... ..`.rdata.............................@..@.data................z..............@....rsrc................~..............@..@.reloc..@...........................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\mfc140u.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4869496
                                                                                                                          Entropy (8bit):7.023063738664024
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:2Wb8RxUQ2gvGuxzgCkTVlzrrqkijR2e4FLOAkGkzdnEVomFHKnPLzr2:2WyTVeT7qkijRr4FLOyomFHKnPLu
                                                                                                                          MD5:EC9829B23C2E5A7029AC2F9F81924EFA
                                                                                                                          SHA1:9B7400EE4282E4655C0CD5F54C41D3AE14095434
                                                                                                                          SHA-256:28EB2E4DE14C90B303E13EAFF2E65A4D57E4F5E220BD34CEB858D745A02BDF94
                                                                                                                          SHA-512:7B2831CA2CDE03F3F12240AE5F18386BBC1D6DA2B66A550515800E8A1947BC64F077EAF498E63CC3E1CAF39986CFEEB886F43562C0D451D8C54C196F4AF58662
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W.M.9.M.9.M.9..<.L.9..>.L.9..=.W.9.D...Y.9.Ki8.O.9.Ki=.A.9.Ki:.G.9..8.^.9.M.8..9.Ki<.Z.9.Ki0...9.Ki9.L.9.Ki..L.9.Ki;.L.9.RichM.9.........PE..L...z............."!...&../..p.......*+......./...............................J.....V.J...@A........................P...L.....0......@1.`.............I.xO....F.\.......T............................5..@.............0..............................text...../......./................. ..`.data........./......./.............@....idata..JS....0..T...p0.............@..@.didat.......01.......0.............@....rsrc...`....@1.......0.............@..@.reloc..\.....F......`F.............@..B................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):446840
                                                                                                                          Entropy (8bit):6.690279428020546
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:5mtyWf0sTWRzbpT/tD5YpsGx30h7whUgiW6QR7t5s03Ooc8dHkC2es98R:A0HsTWRzbp5D5YpsM3A7v03Ooc8dHkCh
                                                                                                                          MD5:C766CA0482DFE588576074B9ED467E38
                                                                                                                          SHA1:5AC975CCCE81399218AB0DD27A3EFFC5B702005E
                                                                                                                          SHA-256:85AA8C8AB4CBF1FF9AE5C7BDE1BF6DA2E18A570E36E2D870B88536B8658C5BA8
                                                                                                                          SHA-512:EE36BC949D627B06F11725117D568F9CF1A4D345A939D9B4C46040E96C84159FA741637EF3D73ED2D01DF988DE59A573C3574308731402EB52BAE2329D7BDDAC
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O.$...w...w...w.\.v...w.V@w...w..v...w...w...w..v...w..v...w..vD..w..v...w.,w...w..v...wRich...w........................PE..L....4.w.........."!...&.....z...............0.......................................=....@A.........................S......8c..........................xO.......4...U..T...........................8U..@............`..0............................text...b........................... ..`.data....&...0......................@....idata..0....`.......0..............@..@.rsrc................H..............@..@.reloc...4.......6...L..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_1.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):21384
                                                                                                                          Entropy (8bit):6.470094803230791
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:Y32E5mpdhYQjHy3d5Wcs5gWI3KLHRN7QiUJ/AlGstm4s:YmxQSyUyAQX/xEv
                                                                                                                          MD5:C946A9E4170F6B16D25C822DA616DC6A
                                                                                                                          SHA1:F602D23DB756F9C3A058D3B7186D24480E05790F
                                                                                                                          SHA-256:65BDADB5562B9473471740B1DCD8B064459A40D71A1A11FC5AEDAA855FE7635A
                                                                                                                          SHA-512:916CAD8B1E38B2B15AB836844C5CC9D36B212831B2F553198054FE9CB5CD77AECD544CAC8040000337CEFDA9B15BF95E8903F36A9C1BEB7D579CFFF670445617
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(D.vl%.%l%.%l%.%.U.$n%.%e]/%h%.%>P.$f%.%>P.$m%.%l%.%D%.%>P.$i%.%>P.$x%.%>P.$m%.%>PC%m%.%>P.$m%.%Richl%.%........................PE..L...J|.a.........."!.........................0...............................p......#,....@A.........................*..J....@..x....P...............0...#...`..t...X...8...............................@............@...............................text...J........................... ..`.data...8....0....... ..............@....idata.......@......."..............@..@.rsrc........P.......(..............@..@.reloc..t....`.......,..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_2.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):166264
                                                                                                                          Entropy (8bit):6.800892494270331
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:UZqJu0h1iCPZYtIzss2wizpHB7RoSxvQ02bnt56CY2G1zVSdqXCvjC:UZqU0hStIzrQqht567ZSY+jC
                                                                                                                          MD5:06DEEA1786C951D3CC7E24A3E714FF03
                                                                                                                          SHA1:9906803CEDB8600C5E201AE080155BEEBD2902B2
                                                                                                                          SHA-256:EAC4C95CD7B013E110F2CF28C08342126FE1658EF16010541F05B234D23272DD
                                                                                                                          SHA-512:28CAA59DEEC92E417468BB0244DA2E60FAF6482EF608258E99FA47F59D3CD0EDEE69155E913034AC7B5E1AFC88DBF8F6F97058B75F0CBC6E4C045E1EE6EAADA0
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%>..a_a.a_a.a_a../`.c_a.h'.m_a.3*e.j_a.3*b.c_a.a_`.._a.3*`.d_a.3*d.r_a.3*a.`_a.3*..`_a.3*c.`_a.Richa_a.................PE..L...J|.a.........."!.....*...<......0........@......................................:.....@A.........................3..@....Q.......`...............f..x#...p..X....\..8............................\..@............P...............................text....).......*.................. ..`.data...(....@......................@....idata..`....P.......6..............@..@.rsrc........`.......D..............@..@.reloc..X....p.......H..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_atomic_wait.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):52104
                                                                                                                          Entropy (8bit):5.1488364199396335
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:ZWlTFwTSloNYcSNXR5cHDIABta/FWFvug0yiT3UN9imfI/NVW0jdT40Fzenw3GDx:GVT9kNWNLTXwwWDpQJs10cM8dAgT7
                                                                                                                          MD5:FFB8C73E6E3769D5D8715E694707C792
                                                                                                                          SHA1:F7D63FA41C34D7B75CD70D72E317DB148F3D50CA
                                                                                                                          SHA-256:1DD7D3417FFFC321A67AAE2CA7E89A7D75203F8A3586CD829C56766F313F7931
                                                                                                                          SHA-512:61E83F71A388FD1176665225CC84C32FAC40663376629ADBE9B47CD9E69DDADC43FEC021B07062585AF80811E8F3E0479314B2277E6CB8617645FD304FAE88AB
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Uz.;).;).;)*.:(.;)...).;)..?(.;)..8(.;).:)..;)..:(.;)..>(.;)..;(.;)...).;)..9(.;)Rich.;)........PE..L...J|.a.........."!.....H..........PC.......`............................... ......,@....@A.........................Q..D...............0................#......x.......8...........................0...@............................................text....F.......H.................. ..`.data........`...B...L..............@....idata..............................@..@.rsrc...0...........................@..@.reloc..x...........................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\msvcp140_codecvt_ids.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):18816
                                                                                                                          Entropy (8bit):6.421430337596372
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:5DSdV3lIjIjP2dhWiOEWs/KLHRN7kxjlGsgl/Z:5c32jmdmAT7/Z
                                                                                                                          MD5:EF6C5EEB8B36D941E6991E6981CDB88A
                                                                                                                          SHA1:E21989951B745B290F143DD63F94BD4399A74284
                                                                                                                          SHA-256:3859B4A5A5C0A30CEE15C188F678E09D040541C221999D926955B49E8779E675
                                                                                                                          SHA-512:12CB0C4E4DE73600E262B6B6D0448FB050BD4B673D86265B4033B253EA3864DDA4F004F6344AAE5BED7A15D5717531F7B18374E47FF4258E027EE7B896F6F406
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Mt.T.............e.......mv.............[`......[`......[`......[`......[`......[`......[`......Rich....................PE..L...J|.a.........."!................P........0...............................p.......)....@A.........................!../...l@..P....P..0............&...#...`..H...D...8...............................@............@..h............................text............................... ..`.data........0......................@....idata..t....@......................@..@.rsrc...0....P......................@..@.reloc..H....`.......$..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\sqlite3.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1266512
                                                                                                                          Entropy (8bit):6.76665912939983
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:HKJBFjUNt+dLi2QnOFiVfBZngLrB2rOIIuYYEqDhrwVW8WRU:qlutNvOFizZgXBcRYYEccWrRU
                                                                                                                          MD5:AEC1AB9CC272E184C7E896E169786B64
                                                                                                                          SHA1:32E85DABECC470B6995EFAF83F8BF1D7E78B4916
                                                                                                                          SHA-256:5C5E4128AFE870F4B830AFA30BE42B4ABD8C4BD8229A9BACF6B24A4081F9B313
                                                                                                                          SHA-512:E059C621A44AAC97446F41ABB8B6F61D2C12D352F3F87451511A0F87E587BF1C1EBE0A56B074E36BDBAE5A7DF94EAB102C5C0C8BED37FBAEE715181C237840CF
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......vcf.2..Z2..Z2..Z;z.Z>..Z}~.[0..Z}~.[>..Z}~.[8..Z}~.[9..Zyz.[1..Z2..Z...Z.~.[3..Z.~.[3..Z.~.Z3..Z.~.[3..ZRich2..Z........PE..L....L.e...........!...".....8...............................................p......z.....@.........................05...$...Z.......................*..P)..........'...............................&..@............................................text............................... ..`.rdata...U.......V..................@..@.data...lH...p...D...N..............@....rsrc...............................@..@.reloc.............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\templates\report.html.template

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4428
                                                                                                                          Entropy (8bit):4.79153248777129
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:4T7rK/xQNukj/5+B8XM3n/xWn/xX5N1UzEe7H:4T72mNuCaY8zH7H
                                                                                                                          MD5:680083D8087569CC23B481D527C764C5
                                                                                                                          SHA1:5A4BC210EBEFEF5494DBB5A97DCBC66A5988C464
                                                                                                                          SHA-256:894C1A18B17E9FB76684147F58785AAFE39089E333ED766267E9F6A3D3AC8B7F
                                                                                                                          SHA-512:191BA759F26A02D8A2A80CC868148CC010042E5EF127FB05A7C24F6C538A80DD141E5D096FD8AB25AFD76112D70EDD9670A042CCF46C430329EAF7CA530B2241
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<!DOCTYPE html>..<html lang="en">....<head>.. <meta charset="utf-8">.. <title>{{localized_title}}</title>.. <style>.... :root {.. --numColumns: {{#middle_side}}3{{/middle_side}}{{^middle_side}}2{{/middle_side}};.. --leftColumnContent: 1;.. {{#middle_side}}.. --middleColumnContent: 2;.. --rightColumnContent: 3;.. {{/middle_side}}.. {{^middle_side}}.. --rightColumnContent: 2;.. {{/middle_side}}.. }.... div.legend {.. font: 1em Consolas, "Liberation Mono", Menlo, Courier, monospace;.. padding-top: 0.34em;.. padding-bottom: 0.34em;.. width: 100%;.. display: grid;.. grid-template-columns: 1fr 1fr 1fr 1fr 1fr;.. vertical-align: middle;.. }.... span.legend-caption {.. grid-column: 1/5;.. grid-row: 1;.. text-align: left;.. font-weight: bolder;.. }.... span.legend {.. grid-row: 2;.. text-align: center;.. }.... #text-comparison-result,.. #xml-compariso

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\ucrtbase.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1170904
                                                                                                                          Entropy (8bit):6.805826320677691
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:+WiAihjcDBXUw9y079gzyVFExlfz+pq12S5qyrmcvIZPoy4spcFOo:NiAihjmXfgzyVFEWc2SEyApcco
                                                                                                                          MD5:126FB99E7037B6A56A14D701FD27178B
                                                                                                                          SHA1:0969F27C4A0D8270C34EDB342510DE4F388752CD
                                                                                                                          SHA-256:10F8F24AA678DB8E38E6917748C52BBCD219161B9A07286D6F8093AB1D0318FA
                                                                                                                          SHA-512:D787A9530BCE036D405988770621B6F15162347A892506CE637839AC83AC6C23001DC5B2292AFD652E0804BD327A7536D5F1B92412697C3BE335A03133D5FE17
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..\...\...\......\...]...\.......\...\...\..._...\...Y...\...R...\...X...\.......\...^...\.Rich..\.........................PE..L.................!................0................................................b....@A................................t".......@...................!...P......P...T...........................p...@............ ..p............................text...P........................... ..`.data...<...........................@....idata....... ......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\vccorlib140.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):267656
                                                                                                                          Entropy (8bit):6.547035182798101
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:+9WZ4GcvxHdmJOHpxyBIBaQ0I/Quljl1mn48MHnlwgSmiSb:+VFTmJO/BH0IYuljK48ZgS0
                                                                                                                          MD5:2FB4C4168E379F13B15D4E299ECF3429
                                                                                                                          SHA1:4C6702254054F288BEB49ADCDD6317575E83374D
                                                                                                                          SHA-256:8CD7BE490AD502C9980CB47C9A7162AFCCC088D9A2159D3BBBCED23A9BCBDA7F
                                                                                                                          SHA-512:8BC80A720CDC38D58AB742D19317FBE7C36CFB0261BB9B3D5F3B366459B2801B95F8E71FB24D85B79F2C2BC43E7EB135DAB0B81953C7007A5C01494C9F584208
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Hb.:...i...i...i.{.i...i^v.h...i^v.h...i^v.h...i^v.h...i.s.h...i...i...i^v.h...i^v.h...i^v.i...i^v.h...iRich...i................PE..L....~.a.........."!.........................0............................... ......Gp....@A........................@....=...............................#......TX..\J..8............................J..@............................................text...[........................... ..`.data....o...0...l..................@....idata..............................@..@.rsrc...............................@..@.reloc..TX.......Z..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\vcruntime140.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):91104
                                                                                                                          Entropy (8bit):6.919609919273454
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:1536:wd5wd+ywOpmlhcsrG4ckZEzH3qDLItnTwfVkC2KecbGJ13yd+zTNFZFzK:wdJywOpmlPrHI6D+nTwvlecbG/3y8XG
                                                                                                                          MD5:9C133B18FA9ED96E1AEB2DA66E4A4F2B
                                                                                                                          SHA1:238D34DBD80501B580587E330D4405505D5E80F2
                                                                                                                          SHA-256:C7D9DFDDBE68CF7C6F0B595690E31A26DF4780F465D2B90B5F400F2D8D788512
                                                                                                                          SHA-512:D2D588F9940E7E623022ADEBEBDC5AF68421A8C1024177189D11DF45481D7BFED16400958E67454C84BA97F0020DA559A8DAE2EC41950DC07E629B0FD4752E2F
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................2........I..............o.......o.......o.......o.......o%......o......Rich............PE..L....s............"!...&............P........................................P...........@A........................@........ .......0...................O...@.......$..T............................#..@............ ...............................text...T........................... ..`.data...d...........................@....idata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\sc4.1

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe
                                                                                                                          File Type:very short file (no magic)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1
                                                                                                                          Entropy (8bit):0.0
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:v:v
                                                                                                                          MD5:68B329DA9893E34099C7D8AD5CB9C940
                                                                                                                          SHA1:ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC
                                                                                                                          SHA-256:01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B
                                                                                                                          SHA-512:BE688838CA8686E5C90689BF2AB585CEF1137C999B48C70B92F67A5C34DC15697B5D11C982ED6D71BE1E1E7F7B4E0733884AA97C3F7A339A8ED03577CF74BE09
                                                                                                                          Malicious:false
                                                                                                                          Preview:.

                                                                                                                          C:\Users\user\AppData\Local\Temp\sc4.2

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2
                                                                                                                          Entropy (8bit):1.0
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:y:y
                                                                                                                          MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                          SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                          SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                          SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                          Malicious:false
                                                                                                                          Preview:..

                                                                                                                          C:\Users\user\AppData\Local\Temp\sc4.3\data.0

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):130
                                                                                                                          Entropy (8bit):2.6212307144865425
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:xNIDzk+xlliplltq8QRXe//w:x0zjsplK8Ee//w
                                                                                                                          MD5:647E8E57755CF2ADA12589060C50C079
                                                                                                                          SHA1:A7DA88301FE4A32AAA36FDC216F743A9FBE557EB
                                                                                                                          SHA-256:6E45A40F910A85232E711D528C16B33956A3212CAC414C3B7DDDCCF2856C64EB
                                                                                                                          SHA-512:EC0D03B7950D82D58E8F36724D9D072C82ED943DECD82F68AA94134F5A334B32F11726B83B8A1936A84CC8018D8999FC0AE29EF2371CF7F5DACC47BA06C9BC6B
                                                                                                                          Malicious:false
                                                                                                                          Preview:ADIOS-BP v2.9.2 Data............292.............................[PGI>.......n..Output......1..................................PGI]

                                                                                                                          C:\Users\user\AppData\Local\Temp\sc4.3\md.0

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):134
                                                                                                                          Entropy (8bit):2.3816183899920396
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:xNIDiijIxll0lbqQRVQRDshtll:x0iVeGEVnh
                                                                                                                          MD5:110090F60E6DA1EBD8C003DD4A8EFE22
                                                                                                                          SHA1:DC592E5FB12B34413CBD1FA8BDD6B8DE063B6E3F
                                                                                                                          SHA-256:9A74DE2A2AFA6919AFC2F30A0B046D929DBBBE8786E7F70B1C9C42304C9252A9
                                                                                                                          SHA-512:8870D0C11A04D1641016EAD4D27FFDF4CA4D0C8EC5A031DE0439EF72AE5D2DE92A8FC62DD9B54C1AA76D5E03D7A36D9939429087FDE7B8271FA3EB22D99F5EB4
                                                                                                                          Malicious:false
                                                                                                                          Preview:ADIOS-BP v2.9.2 Metadata........292.................................................Outputn......1....@...............................

                                                                                                                          C:\Users\user\AppData\Local\Temp\sc4.3\md.idx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):128
                                                                                                                          Entropy (8bit):2.381368203576206
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:xNIDV7utfWxll0ldll5lnlrlS/l/l:x0R6eeIt/
                                                                                                                          MD5:F4BFB406FD7A00E8E8A0F3D4B3EC5BD7
                                                                                                                          SHA1:537A8BDAE0E94D2DB2B09211EEBF425289454C29
                                                                                                                          SHA-256:9A60D950FB146F941801EC6548DBD043C85AC888569EBCA2F2DF647E51A5CA3F
                                                                                                                          SHA-512:DE2B2CCB22DA20A66231B95BC78938ED03BB80AB8E56BEEB809BE1FE9BDA129A41829CAF9F097FA8C826114AD898B790F2F69C22F9442A4ADC97BC8542CEA4B8
                                                                                                                          Malicious:false
                                                                                                                          Preview:ADIOS-BP v2.9.2 Index Table.....292.............................................@.......n.......z...............s.?g............

                                                                                                                          C:\Users\user\AppData\Local\Temp\sc4.3\profiling.json

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe
                                                                                                                          File Type:JSON data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):391
                                                                                                                          Entropy (8bit):4.754510939227366
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:LvaNobsAWNPj93JKKB597knJ7mgJVa7B1OZyIPndv/ZxXBbAFJyIPrX+X23o7v:LWowxP9Ey5c0gfcB1OH/vbgXzXfor
                                                                                                                          MD5:A8385C732A3E24BC2F3CD97DD78FFAFF
                                                                                                                          SHA1:6FB06B1304F29DB037ED786263A003C69E5D4DC7
                                                                                                                          SHA-256:D1856AB84CDD89290D9840EE219EE98E18BDA22FC31CDCE53B7B8A5A70B23272
                                                                                                                          SHA-512:09EDE506D87366A6475DE42E8DCDDD9F0011041F1E439F5BF4A9E4EEFE72D0C2A7E4F29B60B713ADAE8EEA1DAD69C337870886B1795DE5639BF718E972E32B9D
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.{ "rank": 0, "start": "Thu_Nov_21_05:24:51_2024", "threads": 1, "bytes": 130, "aggregation_mus": 0, "buffering_mus": 75, "memcpy_mus": 0, "minmax_mus": 0, "meta_sort_merge_mus": 39, "mkdir_mus": 301, "transport_0": { "type": "File_fstream", "open_mus": 487, "write_mus": 161, "close_mus": 6245}, "transport_1": { "type": "File_fstream", "open_mus": 82, "write_mus": 1, "close_mus": 0} }.].

                                                                                                                          C:\Windows\Installer\813e7c.msi

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: MotiveWave Proffesional, Author: MotiveWave Software, Keywords: Installer, Comments: This installer database contains the logic and data required to install MotiveWave Proffesional., Template: Intel;1033, Revision Number: {AE533901-3C2C-472E-962D-EC625A769D04}, Create Time/Date: Tue Nov 12 16:50:30 2024, Last Saved Time/Date: Tue Nov 12 16:50:30 2024, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):44130304
                                                                                                                          Entropy (8bit):7.998958277200641
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:786432:Ik4FDMyBJdSbNA0Dmrv+XkyxQ+wFyz1thYPATnoYELCw:VkncYTRGyPqoLCw
                                                                                                                          MD5:C6482889FE38AB6FAC54F0B220AC5407
                                                                                                                          SHA1:0A69FBDE5B864D04AC9C28E2361B2D2E684C8F38
                                                                                                                          SHA-256:0C70A985493B30EDDA772A39D108743E11B52569BCCBB8E5B48A271765FB998D
                                                                                                                          SHA-512:7E952A053C54CFD5DCC3854459AC53CCBF56880E4978030F32F55D433F545002683FC1A43A0E0D919F1B8608E84DA72C7C1FA0B575171C91CA1D75048BEE8934
                                                                                                                          Malicious:false
                                                                                                                          Preview:......................>.................................................................................... ...$...(..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Installer\813e7e.msi

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: MotiveWave Proffesional, Author: MotiveWave Software, Keywords: Installer, Comments: This installer database contains the logic and data required to install MotiveWave Proffesional., Template: Intel;1033, Revision Number: {AE533901-3C2C-472E-962D-EC625A769D04}, Create Time/Date: Tue Nov 12 16:50:30 2024, Last Saved Time/Date: Tue Nov 12 16:50:30 2024, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):44130304
                                                                                                                          Entropy (8bit):7.998958277200641
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:786432:Ik4FDMyBJdSbNA0Dmrv+XkyxQ+wFyz1thYPATnoYELCw:VkncYTRGyPqoLCw
                                                                                                                          MD5:C6482889FE38AB6FAC54F0B220AC5407
                                                                                                                          SHA1:0A69FBDE5B864D04AC9C28E2361B2D2E684C8F38
                                                                                                                          SHA-256:0C70A985493B30EDDA772A39D108743E11B52569BCCBB8E5B48A271765FB998D
                                                                                                                          SHA-512:7E952A053C54CFD5DCC3854459AC53CCBF56880E4978030F32F55D433F545002683FC1A43A0E0D919F1B8608E84DA72C7C1FA0B575171C91CA1D75048BEE8934
                                                                                                                          Malicious:false
                                                                                                                          Preview:......................>.................................................................................... ...$...(..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Installer\MSI47D3.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):11640
                                                                                                                          Entropy (8bit):5.719225838375416
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:wm32OdwDSbGGe4dWUv15aWIemqOWTlT9IM247LRnl3KmkYNUg+6jAHVoeaIpUcEu:wmSSiGe4dWsmXWs6Bl39m60CekWb
                                                                                                                          MD5:4DEEF368537346488BF5EF403D4FABA1
                                                                                                                          SHA1:9B0C1C4A6AA6F7722844A2AC821CC7370D12F052
                                                                                                                          SHA-256:2959ED827B7C26556468B60C62804605F26A1BEF6939A4B275A3C417DB8A2ABA
                                                                                                                          SHA-512:158FFCCB9E5C66AF4176937197FFCB0F483C2B81ECD4A5035602163556D1A36D227020545BB2FD0F90F93938894480F2E54BA18CD60A7F6483EA7AD6AE187FA2
                                                                                                                          Malicious:false
                                                                                                                          Preview:...@IXOS.@.....@.+uY.@.....@.....@.....@.....@.....@......&.{494D20A3-04AB-4FD6-8901-F174670D563F}..MotiveWave Proffesional..1.e.msi.@.....@.....@.....@........&.{AE533901-3C2C-472E-962D-EC625A769D04}.....@.....@.....@.....@.......@.....@.....@.......@......MotiveWave Proffesional......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{E25DC234-7628-6376-8C4F-A0A9098FCA45}H.C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\Asset.wav.@.......@.....@.....@......&.{D68C2780-F9C3-81E8-0F41-7C694D8990E4}J.C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\Catalog.xsd.@.......@.....@.....@......&.{CAB78203-16F2-2578-2018-CE2829DF386C}Q.C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\CES_PlugInHost.dll.@.......@.....@.....@......&.{3F182DF9-CF16-E26C-D6D5-EEEC3DE9133D}L.C:\Users\user\AppData\Local\Programs\MotiveWave Prof

                                                                                                                          C:\Windows\Installer\SourceHash{494D20A3-04AB-4FD6-8901-F174670D563F}

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):20480
                                                                                                                          Entropy (8bit):1.1611025342735284
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:JSbX72FjpSAGiLIlHVRpqh/7777777777777777777777777vDHFq+UyXMkCpZlN:JqQI56xTZnF
                                                                                                                          MD5:FF8727A5FACD3CE36970BEF8D2505F3A
                                                                                                                          SHA1:E2637B6BC8D9CF5A866166CF8FA6522AD299F134
                                                                                                                          SHA-256:B945EDF79488D825539CB59833EB2D96FB239A8ECB8FA4D049467A8465E87486
                                                                                                                          SHA-512:FAA781797F533F7644EB940D9531E59B5013EABF2AB32D524E6EAAFBFABAEDAE810915BF0D2DCD87CD755CF2F0FAA694B6E826B500ACA0585BD320095D038818
                                                                                                                          Malicious:false
                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):20480
                                                                                                                          Entropy (8bit):1.5015631554858007
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:+8PhpuRc06WXOgnT5zjK9GzdS5+r19GzdSI0K:xhp1unTFj5kB
                                                                                                                          MD5:E576E5F8313104216FCDA79E621D7BDD
                                                                                                                          SHA1:20F0AFB8368EA5D2BE81D540B79C24FCADE8D0FC
                                                                                                                          SHA-256:098C6CD6BED77E38037BAAA35850D6A46470284DFAF2EF6CC5CEFF871A6F7A32
                                                                                                                          SHA-512:634C95249F7F93379BD63CB9F3B49C5F5D72A38591834E1C9EEBC6DB63A92CDCEBCDF3A520D6BB927BB7BB12964DF7B0BC10B1257E781F7CD5FCD2C252165A69
                                                                                                                          Malicious:false
                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1014526
                                                                                                                          Entropy (8bit):5.410022505168915
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:TFfxq8RfKF0Dux6lvJ3c7v/3dd7kGcoyq+H/GKXp:TFfxq8xKCE6lVcbP7kGcj/GKXp
                                                                                                                          MD5:EC51312B4FD273A4A26897071153E592
                                                                                                                          SHA1:351B30B4362A56D370892BD999E3F0CF3E3A83D6
                                                                                                                          SHA-256:4540D248A9C19ECF1BF4F2EE67249FFC2AB25B58C8574857D2DA7ACC223346FC
                                                                                                                          SHA-512:336D35115A52FC13D5B55AC432C00C433430D28815E1A5F76AF4916D57EDE5A78869FF3C8FAD42F520B9E02EB56B69C1E7D605BD90492C2AE6E62773F3E237D0
                                                                                                                          Malicious:false
                                                                                                                          Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 09:59:37.236 [4684]: Command line: D:\wd\compilerTemp\BMT.i51yo0aa.beh\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 09:59:37.255 [4684]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 09:59:37.299 [4684]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 09:59:37.299 [4684]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 09:59:37.299 [

                                                                                                                          C:\Windows\Temp\~DF11A14C60E0459EFF.TMP

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):32768
                                                                                                                          Entropy (8bit):0.0684577160434631
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOq+UmXXMOLxX6Vky6lZ:2F0i8n0itFzDHFq+UyXMkPZ
                                                                                                                          MD5:174E59845F30BBF54A1B83F6BE56F639
                                                                                                                          SHA1:679635FB610F27C3AB9587D7CCE6EB34128C408C
                                                                                                                          SHA-256:0978B2F2AEF4CB14D37FA4DB3EA191F2CFEE7E631F91F3B8A42C266AED48DA16
                                                                                                                          SHA-512:39C3623F72E5E5A074585141290CF9776D0AB4A97E70C453D89922B6D3E60093D24FBD26B7CDB6475F253B3004A2FE573CFEBCE937ED5881026E8A525D509858
                                                                                                                          Malicious:false
                                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Temp\~DF3FFE01ED652F2DB4.TMP

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):69632
                                                                                                                          Entropy (8bit):0.11905329098872112
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:4ogKFOwVXG+gdipVEwVXG+gdipV7VjwG0lrkgM+clC:mKFL9GzdSL9GzdS5+rMj
                                                                                                                          MD5:BC3CA20FF3A524D05F04C4AC55F92952
                                                                                                                          SHA1:44113CF32444E2B77FE9EDE14C305C823D4B2CA8
                                                                                                                          SHA-256:84C9964646AE21A564C1EA9C6C796DA112C470DC9459B8B61956D4B163688ED8
                                                                                                                          SHA-512:0AD58BBC5DA649BC23BFE6CD01412F179D9B5DC4D2176A85E441512E5911D830E527C61BA12CB3C079D39618ED0CBBBF24FA23AACC947FD322A492AE13560B61
                                                                                                                          Malicious:false
                                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Temp\~DF4CDFF5FE3F710ABE.TMP

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):512
                                                                                                                          Entropy (8bit):0.0
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3::
                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                          Malicious:false
                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Temp\~DF5EF872B34531A875.TMP

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):20480
                                                                                                                          Entropy (8bit):1.5015631554858007
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:+8PhpuRc06WXOgnT5zjK9GzdS5+r19GzdSI0K:xhp1unTFj5kB
                                                                                                                          MD5:E576E5F8313104216FCDA79E621D7BDD
                                                                                                                          SHA1:20F0AFB8368EA5D2BE81D540B79C24FCADE8D0FC
                                                                                                                          SHA-256:098C6CD6BED77E38037BAAA35850D6A46470284DFAF2EF6CC5CEFF871A6F7A32
                                                                                                                          SHA-512:634C95249F7F93379BD63CB9F3B49C5F5D72A38591834E1C9EEBC6DB63A92CDCEBCDF3A520D6BB927BB7BB12964DF7B0BC10B1257E781F7CD5FCD2C252165A69
                                                                                                                          Malicious:false
                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Temp\~DF84CCA6ECBAC5839B.TMP

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):32768
                                                                                                                          Entropy (8bit):1.2073017583675436
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zwMRu3srMLFXOHT5WjK9GzdS5+r19GzdSI0K:z1RkKT4j5kB
                                                                                                                          MD5:59918937CD36BCFC90C3BFD4DFF825D5
                                                                                                                          SHA1:89BCAFF22A5CD5F9741074221387D15B4BD6FE5F
                                                                                                                          SHA-256:EBC27AB9C1450948B3CD0EF1E004EF2CAB4480D93205E8D02D29A6BFE3A8C718
                                                                                                                          SHA-512:BABBB3FED9AC9C718826916160DE6AA8B6C6E1D08022D04D1D2E6124A4FAD1538C26CC2CAD0A9867351A1B4D69EBB37D992DF1743F1CFA6E8BC0C0F36558811F
                                                                                                                          Malicious:false
                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Temp\~DF879E19F7982A06AF.TMP

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):32768
                                                                                                                          Entropy (8bit):1.2073017583675436
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zwMRu3srMLFXOHT5WjK9GzdS5+r19GzdSI0K:z1RkKT4j5kB
                                                                                                                          MD5:59918937CD36BCFC90C3BFD4DFF825D5
                                                                                                                          SHA1:89BCAFF22A5CD5F9741074221387D15B4BD6FE5F
                                                                                                                          SHA-256:EBC27AB9C1450948B3CD0EF1E004EF2CAB4480D93205E8D02D29A6BFE3A8C718
                                                                                                                          SHA-512:BABBB3FED9AC9C718826916160DE6AA8B6C6E1D08022D04D1D2E6124A4FAD1538C26CC2CAD0A9867351A1B4D69EBB37D992DF1743F1CFA6E8BC0C0F36558811F
                                                                                                                          Malicious:false
                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Temp\~DFB05994DF0C1C89ED.TMP

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):512
                                                                                                                          Entropy (8bit):0.0
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3::
                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                          Malicious:false
                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Temp\~DFC46ED5D3F48E6560.TMP

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):20480
                                                                                                                          Entropy (8bit):1.5015631554858007
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:+8PhpuRc06WXOgnT5zjK9GzdS5+r19GzdSI0K:xhp1unTFj5kB
                                                                                                                          MD5:E576E5F8313104216FCDA79E621D7BDD
                                                                                                                          SHA1:20F0AFB8368EA5D2BE81D540B79C24FCADE8D0FC
                                                                                                                          SHA-256:098C6CD6BED77E38037BAAA35850D6A46470284DFAF2EF6CC5CEFF871A6F7A32
                                                                                                                          SHA-512:634C95249F7F93379BD63CB9F3B49C5F5D72A38591834E1C9EEBC6DB63A92CDCEBCDF3A520D6BB927BB7BB12964DF7B0BC10B1257E781F7CD5FCD2C252165A69
                                                                                                                          Malicious:false
                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Temp\~DFCD9EFBF8DA7778A9.TMP

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):32768
                                                                                                                          Entropy (8bit):1.2073017583675436
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zwMRu3srMLFXOHT5WjK9GzdS5+r19GzdSI0K:z1RkKT4j5kB
                                                                                                                          MD5:59918937CD36BCFC90C3BFD4DFF825D5
                                                                                                                          SHA1:89BCAFF22A5CD5F9741074221387D15B4BD6FE5F
                                                                                                                          SHA-256:EBC27AB9C1450948B3CD0EF1E004EF2CAB4480D93205E8D02D29A6BFE3A8C718
                                                                                                                          SHA-512:BABBB3FED9AC9C718826916160DE6AA8B6C6E1D08022D04D1D2E6124A4FAD1538C26CC2CAD0A9867351A1B4D69EBB37D992DF1743F1CFA6E8BC0C0F36558811F
                                                                                                                          Malicious:false
                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Temp\~DFDD131CC048CCE32D.TMP

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):512
                                                                                                                          Entropy (8bit):0.0
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3::
                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                          Malicious:false
                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Temp\~DFDE124F7F0E7B9A81.TMP

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):512
                                                                                                                          Entropy (8bit):0.0
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3::
                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                          Malicious:false
                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Temp\~DFE418DB88113D0519.TMP

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):512
                                                                                                                          Entropy (8bit):0.0
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3::
                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                          Malicious:false
                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          Static File Info

                                                                                                                          General

                                                                                                                          File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: MotiveWave Proffesional, Author: MotiveWave Software, Keywords: Installer, Comments: This installer database contains the logic and data required to install MotiveWave Proffesional., Template: Intel;1033, Revision Number: {AE533901-3C2C-472E-962D-EC625A769D04}, Create Time/Date: Tue Nov 12 16:50:30 2024, Last Saved Time/Date: Tue Nov 12 16:50:30 2024, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                          Entropy (8bit):7.998958277200641
                                                                                                                          TrID:
                                                                                                                          • Microsoft Windows Installer (60509/1) 88.31%
                                                                                                                          • Generic OLE2 / Multistream Compound File (8008/1) 11.69%
                                                                                                                          File name:1.e.msi
                                                                                                                          File size:44'130'304 bytes
                                                                                                                          MD5:c6482889fe38ab6fac54f0b220ac5407
                                                                                                                          SHA1:0a69fbde5b864d04ac9c28e2361b2d2e684c8f38
                                                                                                                          SHA256:0c70a985493b30edda772a39d108743e11b52569bccbb8e5b48a271765fb998d
                                                                                                                          SHA512:7e952a053c54cfd5dcc3854459ac53ccbf56880e4978030f32f55d433f545002683fc1a43a0e0d919f1b8608e84da72c7c1fa0b575171c91ca1d75048bee8934
                                                                                                                          SSDEEP:786432:Ik4FDMyBJdSbNA0Dmrv+XkyxQ+wFyz1thYPATnoYELCw:VkncYTRGyPqoLCw
                                                                                                                          TLSH:19A73383E10AE5D4D0209F7A887D6649C11BCC86BF16E4E7627FF1C35079F296BA424B
                                                                                                                          File Content Preview:........................>.................................................................................... ...$...(.........................................................................................................................................

                                                                                                                          File Icon

                                                                                                                          Icon Hash:2d2e3797b32b2b99

                                                                                                                          Network Behavior

                                                                                                                          Download Network PCAP: filteredfull

                                                                                                                          Suricata IDS Alerts

                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                          2024-11-21T11:26:37.807952+01002034465ET MALWARE Danabot Key Exchange Request1192.168.11.2049749148.251.107.246443TCP
                                                                                                                          2024-11-21T11:26:38.852394+01002034465ET MALWARE Danabot Key Exchange Request1192.168.11.2049750185.174.135.68443TCP
                                                                                                                          2024-11-21T11:26:39.919776+01002034465ET MALWARE Danabot Key Exchange Request1192.168.11.2049751185.81.114.227443TCP
                                                                                                                          2024-11-21T11:26:41.004851+01002034465ET MALWARE Danabot Key Exchange Request1192.168.11.204975223.227.178.53443TCP

                                                                                                                          Network Port Distribution

                                                                                                                          • Total Packets: 51
                                                                                                                          • 443 (HTTPS)
                                                                                                                          • 53 (DNS)
                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Nov 21, 2024 11:25:56.867649078 CET4974453192.168.11.208.8.8.8
                                                                                                                          Nov 21, 2024 11:25:56.962507010 CET53497448.8.8.8192.168.11.20
                                                                                                                          Nov 21, 2024 11:25:56.962697029 CET4974453192.168.11.208.8.8.8
                                                                                                                          Nov 21, 2024 11:25:59.057663918 CET53497448.8.8.8192.168.11.20
                                                                                                                          Nov 21, 2024 11:25:59.057899952 CET4974453192.168.11.208.8.8.8
                                                                                                                          Nov 21, 2024 11:26:00.044210911 CET49745443192.168.11.20148.251.107.246
                                                                                                                          Nov 21, 2024 11:26:00.044280052 CET44349745148.251.107.246192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:00.044488907 CET49745443192.168.11.20148.251.107.246
                                                                                                                          Nov 21, 2024 11:26:00.116137028 CET49745443192.168.11.20148.251.107.246
                                                                                                                          Nov 21, 2024 11:26:00.116168976 CET44349745148.251.107.246192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:00.116241932 CET44349745148.251.107.246192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:00.116343975 CET49745443192.168.11.20148.251.107.246
                                                                                                                          Nov 21, 2024 11:26:00.116405964 CET44349745148.251.107.246192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:01.133156061 CET49746443192.168.11.20185.174.135.68
                                                                                                                          Nov 21, 2024 11:26:01.133191109 CET44349746185.174.135.68192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:01.133430004 CET49746443192.168.11.20185.174.135.68
                                                                                                                          Nov 21, 2024 11:26:01.186718941 CET49746443192.168.11.20185.174.135.68
                                                                                                                          Nov 21, 2024 11:26:01.186718941 CET49746443192.168.11.20185.174.135.68
                                                                                                                          Nov 21, 2024 11:26:01.186752081 CET44349746185.174.135.68192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:01.186758995 CET44349746185.174.135.68192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:01.186810017 CET44349746185.174.135.68192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:02.195327044 CET49747443192.168.11.20185.81.114.227
                                                                                                                          Nov 21, 2024 11:26:02.195355892 CET44349747185.81.114.227192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:02.195595026 CET49747443192.168.11.20185.81.114.227
                                                                                                                          Nov 21, 2024 11:26:02.238337994 CET49747443192.168.11.20185.81.114.227
                                                                                                                          Nov 21, 2024 11:26:02.238389015 CET44349747185.81.114.227192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:02.238481998 CET44349747185.81.114.227192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:02.238595963 CET49747443192.168.11.20185.81.114.227
                                                                                                                          Nov 21, 2024 11:26:02.238668919 CET44349747185.81.114.227192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:03.243490934 CET49748443192.168.11.2023.227.178.53
                                                                                                                          Nov 21, 2024 11:26:03.243583918 CET4434974823.227.178.53192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:03.243799925 CET49748443192.168.11.2023.227.178.53
                                                                                                                          Nov 21, 2024 11:26:03.298095942 CET49748443192.168.11.2023.227.178.53
                                                                                                                          Nov 21, 2024 11:26:03.298122883 CET4434974823.227.178.53192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:03.298199892 CET4434974823.227.178.53192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:03.298329115 CET49748443192.168.11.2023.227.178.53
                                                                                                                          Nov 21, 2024 11:26:03.298365116 CET4434974823.227.178.53192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:37.765984058 CET49749443192.168.11.20148.251.107.246
                                                                                                                          Nov 21, 2024 11:26:37.766076088 CET44349749148.251.107.246192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:37.766258955 CET49749443192.168.11.20148.251.107.246
                                                                                                                          Nov 21, 2024 11:26:37.807951927 CET49749443192.168.11.20148.251.107.246
                                                                                                                          Nov 21, 2024 11:26:37.808042049 CET44349749148.251.107.246192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:37.808188915 CET44349749148.251.107.246192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:37.808270931 CET49749443192.168.11.20148.251.107.246
                                                                                                                          Nov 21, 2024 11:26:37.808336020 CET44349749148.251.107.246192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:38.812685013 CET49750443192.168.11.20185.174.135.68
                                                                                                                          Nov 21, 2024 11:26:38.812755108 CET44349750185.174.135.68192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:38.812972069 CET49750443192.168.11.20185.174.135.68
                                                                                                                          Nov 21, 2024 11:26:38.852394104 CET49750443192.168.11.20185.174.135.68
                                                                                                                          Nov 21, 2024 11:26:38.852444887 CET44349750185.174.135.68192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:38.852554083 CET44349750185.174.135.68192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:38.852629900 CET49750443192.168.11.20185.174.135.68
                                                                                                                          Nov 21, 2024 11:26:38.852678061 CET44349750185.174.135.68192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:39.860219955 CET49751443192.168.11.20185.81.114.227
                                                                                                                          Nov 21, 2024 11:26:39.860331059 CET44349751185.81.114.227192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:39.860524893 CET49751443192.168.11.20185.81.114.227
                                                                                                                          Nov 21, 2024 11:26:39.919775963 CET49751443192.168.11.20185.81.114.227
                                                                                                                          Nov 21, 2024 11:26:39.919857979 CET44349751185.81.114.227192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:39.920052052 CET44349751185.81.114.227192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:39.920053959 CET49751443192.168.11.20185.81.114.227
                                                                                                                          Nov 21, 2024 11:26:39.920118093 CET44349751185.81.114.227192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:40.937632084 CET49752443192.168.11.2023.227.178.53
                                                                                                                          Nov 21, 2024 11:26:40.937711000 CET4434975223.227.178.53192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:40.937891006 CET49752443192.168.11.2023.227.178.53
                                                                                                                          Nov 21, 2024 11:26:41.004851103 CET49752443192.168.11.2023.227.178.53
                                                                                                                          Nov 21, 2024 11:26:41.004904032 CET4434975223.227.178.53192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:41.005029917 CET4434975223.227.178.53192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:41.005120993 CET49752443192.168.11.2023.227.178.53
                                                                                                                          Nov 21, 2024 11:26:41.005177975 CET4434975223.227.178.53192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:41.009627104 CET49753443192.168.11.20148.251.107.246
                                                                                                                          Nov 21, 2024 11:26:41.009699106 CET44349753148.251.107.246192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:41.009943008 CET49753443192.168.11.20148.251.107.246
                                                                                                                          Nov 21, 2024 11:26:41.051589966 CET49753443192.168.11.20148.251.107.246
                                                                                                                          Nov 21, 2024 11:26:41.051590919 CET49753443192.168.11.20148.251.107.246
                                                                                                                          Nov 21, 2024 11:26:41.051615000 CET44349753148.251.107.246192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:41.051621914 CET44349753148.251.107.246192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:41.051629066 CET49753443192.168.11.20148.251.107.246
                                                                                                                          Nov 21, 2024 11:26:41.051634073 CET44349753148.251.107.246192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:41.051661968 CET44349753148.251.107.246192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:41.054903984 CET49754443192.168.11.20185.174.135.68
                                                                                                                          Nov 21, 2024 11:26:41.054933071 CET44349754185.174.135.68192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:41.055080891 CET49754443192.168.11.20185.174.135.68
                                                                                                                          Nov 21, 2024 11:26:41.093604088 CET49754443192.168.11.20185.174.135.68
                                                                                                                          Nov 21, 2024 11:26:41.093604088 CET49754443192.168.11.20185.174.135.68
                                                                                                                          Nov 21, 2024 11:26:41.093625069 CET44349754185.174.135.68192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:41.093632936 CET44349754185.174.135.68192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:41.093681097 CET44349754185.174.135.68192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:41.096447945 CET49755443192.168.11.20185.81.114.227
                                                                                                                          Nov 21, 2024 11:26:41.096473932 CET44349755185.81.114.227192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:41.096718073 CET49755443192.168.11.20185.81.114.227
                                                                                                                          Nov 21, 2024 11:26:41.142275095 CET49755443192.168.11.20185.81.114.227
                                                                                                                          Nov 21, 2024 11:26:41.142296076 CET44349755185.81.114.227192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:41.142327070 CET44349755185.81.114.227192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:41.145088911 CET49756443192.168.11.2023.227.178.53
                                                                                                                          Nov 21, 2024 11:26:41.145116091 CET4434975623.227.178.53192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:41.145306110 CET49756443192.168.11.2023.227.178.53
                                                                                                                          Nov 21, 2024 11:26:41.186388016 CET49756443192.168.11.2023.227.178.53
                                                                                                                          Nov 21, 2024 11:26:41.186399937 CET4434975623.227.178.53192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:41.186480045 CET4434975623.227.178.53192.168.11.20
                                                                                                                          Nov 21, 2024 11:26:41.186598063 CET49756443192.168.11.2023.227.178.53
                                                                                                                          Nov 21, 2024 11:26:41.186619043 CET4434975623.227.178.53192.168.11.20

                                                                                                                          Statistics

                                                                                                                          CPU Usage

                                                                                                                          050100s020406080100

                                                                                                                          Click to jump to process

                                                                                                                          Memory Usage

                                                                                                                          050100s0.0050100MB

                                                                                                                          Click to jump to process

                                                                                                                          High Level Behavior Distribution

                                                                                                                          • File
                                                                                                                          • Registry
                                                                                                                          • Network

                                                                                                                          Click to dive into process behavior distribution

                                                                                                                          Behavior

                                                                                                                          Click to jump to process

                                                                                                                          System Behavior

                                                                                                                          General

                                                                                                                          Target ID:0
                                                                                                                          Start time:05:24:39
                                                                                                                          Start date:21/11/2024
                                                                                                                          Path:C:\Windows\System32\msiexec.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\1.e.msi"
                                                                                                                          Imagebase:0x7ff642300000
                                                                                                                          File size:69'632 bytes
                                                                                                                          MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true
                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                          Show Windows behavior

                                                                                                                          Section Activities

                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                          Show Windows behavior

                                                                                                                          Thread Activities

                                                                                                                          Show Windows behavior

                                                                                                                          Memory Activities

                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                          Show Windows behavior

                                                                                                                          Windows UI Activities

                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                          General

                                                                                                                          Target ID:1
                                                                                                                          Start time:05:24:39
                                                                                                                          Start date:21/11/2024
                                                                                                                          Path:C:\Windows\System32\msiexec.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                          Imagebase:0x7ff642300000
                                                                                                                          File size:69'632 bytes
                                                                                                                          MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:false
                                                                                                                          Show Windows behavior

                                                                                                                          File Activities

                                                                                                                          Show Windows behavior

                                                                                                                          Section Activities

                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                          Show Windows behavior

                                                                                                                          Thread Activities

                                                                                                                          Show Windows behavior

                                                                                                                          Memory Activities

                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                          Show Windows behavior

                                                                                                                          Process Token Activities

                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                          General

                                                                                                                          Target ID:5
                                                                                                                          Start time:05:24:49
                                                                                                                          Start date:21/11/2024
                                                                                                                          Path:C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe"
                                                                                                                          Imagebase:0x8c0000
                                                                                                                          File size:56'488'784 bytes
                                                                                                                          MD5 hash:4725DA5F62C1456C206E15ED7FDFBE06
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:Borland Delphi
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.42517780192.000000000D4F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000005.00000003.42517780192.000000000D4F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.42514150305.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000005.00000003.42514150305.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.42524052287.000000000FA67000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.42520499388.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000005.00000003.42520499388.000000000EF4B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.42521864806.000000000FA6F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000005.00000003.42521864806.000000000FA6F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.42515660543.000000000F4D2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000005.00000003.42515660543.000000000F4D2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.42519322816.000000000EF47000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000005.00000003.42519322816.000000000EF47000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.42522963535.000000000FFF7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000005.00000003.42522963535.000000000FFF7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          Reputation:low
                                                                                                                          Has exited:false
                                                                                                                          Show Windows behavior

                                                                                                                          File Activities

                                                                                                                          Show Windows behavior

                                                                                                                          Section Activities

                                                                                                                          Show Windows behavior

                                                                                                                          Registry Activities

                                                                                                                          Show Windows behavior

                                                                                                                          Mutex Activities

                                                                                                                          Show Windows behavior

                                                                                                                          Process Activities

                                                                                                                          Show Windows behavior

                                                                                                                          Thread Activities

                                                                                                                          Show Windows behavior

                                                                                                                          Memory Activities

                                                                                                                          Show Windows behavior

                                                                                                                          System Activities

                                                                                                                          Show Windows behavior

                                                                                                                          Timing Activities

                                                                                                                          Show Windows behavior

                                                                                                                          Windows UI Activities

                                                                                                                          Show Windows behavior

                                                                                                                          Network Activities

                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                          Disassembly

                                                                                                                          No disassembly