Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip

Overview

General Information

Sample name:MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip
Analysis ID:1583314
MD5:040e4e96b3c71169e5706b579862bb8c
SHA1:f9da50db010b8704a5246d42d2cd1e898a244b3f
SHA256:03691405dc49eed57372ef1877d246c3464453aa26ed49966cae495bb5fb95dd
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Loading BitLocker PowerShell Module
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Adds / modifies Windows certificates
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Sigma detected: Powershell Defender Exclusion
Sigma detected: Remote Thread Creation Via PowerShell In Uncommon Target
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64_ra
  • rundll32.exe (PID: 5876 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
    • SIHClient.exe (PID: 7120 cmdline: C:\Windows\System32\sihclient.exe /cv dJzNCxikgEKhZUcQhpdb9w.0.2 MD5: 8BE47315BF30475EEECE8E39599E9273)
  • FreeFileSync_13.9_Windows_Setup.exe (PID: 6680 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe" MD5: 954CEE0E02BAC777F4DB7A05EE8BDA65)
    • FreeFileSync_13.9_Windows_Setup.tmp (PID: 6708 cmdline: "C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmp" /SL5="$70274,19508176,913920,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe" MD5: AFC70B74FF6456A1DB47AA6A5480A389)
      • FreeFileSync_13.9_Windows_Setup.exe (PID: 6768 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe" /SPAWNWND=$402E4 /NOTIFYWND=$70274 MD5: 954CEE0E02BAC777F4DB7A05EE8BDA65)
        • FreeFileSync_13.9_Windows_Setup.tmp (PID: 3680 cmdline: "C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp" /SL5="$60232,19508176,913920,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe" /SPAWNWND=$402E4 /NOTIFYWND=$70274 MD5: AFC70B74FF6456A1DB47AA6A5480A389)
          • FreeFileSync.exe (PID: 6788 cmdline: "C:\Users\user\AppData\Local\Temp\is-C4603.tmp\FreeFileSync.exe" ffs_setup_convert_jpg_to_bmp "C:\Users\user\AppData\Local\Temp\is-C4603.tmp\img_38.jpg" MD5: DD8779C4A9D2F47F3C9279F6F7786E69)
          • powershell.exe (PID: 5876 cmdline: "powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess 'C:\Program Files\FreeFileSync\Bin\*'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • conhost.exe (PID: 6988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • WmiPrvSE.exe (PID: 5992 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
          • FreeFileSync.exe (PID: 4048 cmdline: "C:\Program Files\FreeFileSync\FreeFileSync.exe" ffs_setup_finalize MD5: DD8779C4A9D2F47F3C9279F6F7786E69)
            • FreeFileSync_x64.exe (PID: 1992 cmdline: "C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe" ffs_setup_finalize MD5: 9C31F370631A40917DF397F40C0772DB)
  • FreeFileSync.exe (PID: 6676 cmdline: "C:\Program Files\FreeFileSync\FreeFileSync.exe" MD5: DD8779C4A9D2F47F3C9279F6F7786E69)
    • FreeFileSync_x64.exe (PID: 6176 cmdline: "C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe" MD5: 9C31F370631A40917DF397F40C0772DB)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess 'C:\Program Files\FreeFileSync\Bin\*'", CommandLine: "powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess 'C:\Program Files\FreeFileSync\Bin\*'", CommandLine|base64offset|contains: )f, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp" /SL5="$60232,19508176,913920,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe" /SPAWNWND=$402E4 /NOTIFYWND=$70274 , ParentImage: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp, ParentProcessId: 3680, ParentProcessName: FreeFileSync_13.9_Windows_Setup.tmp, ProcessCommandLine: "powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess 'C:\Program Files\FreeFileSync\Bin\*'", ProcessId: 5876, ProcessName: powershell.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess 'C:\Program Files\FreeFileSync\Bin\*'", CommandLine: "powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess 'C:\Program Files\FreeFileSync\Bin\*'", CommandLine|base64offset|contains: )f, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp" /SL5="$60232,19508176,913920,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe" /SPAWNWND=$402E4 /NOTIFYWND=$70274 , ParentImage: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp, ParentProcessId: 3680, ParentProcessName: FreeFileSync_13.9_Windows_Setup.tmp, ProcessCommandLine: "powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess 'C:\Program Files\FreeFileSync\Bin\*'", ProcessId: 5876, ProcessName: powershell.exe
Sigma detected: Remote Thread Creation Via PowerShell In Uncommon Target
Source: Threat createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 8, SourceImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, SourceProcessId: 5876, StartAddress: 7333B510, TargetImage: C:\Windows\System32\rundll32.exe, TargetProcessId: 5876
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess 'C:\Program Files\FreeFileSync\Bin\*'", CommandLine: "powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess 'C:\Program Files\FreeFileSync\Bin\*'", CommandLine|base64offset|contains: )f, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp" /SL5="$60232,19508176,913920,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe" /SPAWNWND=$402E4 /NOTIFYWND=$70274 , ParentImage: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp, ParentProcessId: 3680, ParentProcessName: FreeFileSync_13.9_Windows_Setup.tmp, ProcessCommandLine: "powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess 'C:\Program Files\FreeFileSync\Bin\*'", ProcessId: 5876, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-02T13:15:11.289949+010020283713Unknown Traffic192.168.2.1649708104.21.2.160443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_6f67f2a6-6
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSyncJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\UninstallJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Uninstall\unins000.datJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Uninstall\is-EQHL2.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\is-8FVAV.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\is-81S7P.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\is-TKF44.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\is-J31F1.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\is-J98NS.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\ResourcesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-ULEV9.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-SMVCI.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-A5FO7.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-T210P.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-RASIR.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-I98HC.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-D7MVB.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-OU4FF.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-VNAJ7.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-8TU6B.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-KIH76.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-94DHL.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-R2L57.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\BinJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Bin\is-PP537.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Bin\is-MAE6G.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Bin\is-EQ2P4.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Bin\is-7GL1G.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Uninstall\unins000.msgJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\Animal.datJump to behavior
Source: unknownHTTPS traffic detected: 104.21.2.160:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.2.160:443 -> 192.168.2.16:49709 version: TLS 1.2
Source: Binary string: C:\Data\Projects\FreeFileSync\Build\FreeFileSync.pdbB source: FreeFileSync.exe, 0000000F.00000000.1312796845.0000000000C86000.00000002.00000001.01000000.0000000A.sdmp, FreeFileSync.exe, 00000012.00000000.1455939232.0000000000592000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: C:\Data\Projects\FreeFileSync\Build\Bin\FreeFileSync_x64.pdb source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: C:\Data\Projects\FreeFileSync\Build\Bin\RealTimeSync_Win32.pdb source: is-EQ2P4.tmp.14.dr
Source: Binary string: C:\Data\Projects\FreeFileSync\Build\Bin\RealTimeSync_x64.pdb source: FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, is-7GL1G.tmp.14.dr
Source: Binary string: ..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\engine\tb_rand.c..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\x509\x509_obj.cNO X509_NAMEX509_NAME_onelinecompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";os-specificCPUINFO: ..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\asn1\a_d2i_fp.casn1_d2i_read_biotimed out source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: C:\Data\Projects\FreeFileSync\Build\FreeFileSync.pdb source: FreeFileSync.exe, 0000000F.00000000.1312796845.0000000000C86000.00000002.00000001.01000000.0000000A.sdmp, FreeFileSync.exe, 00000012.00000000.1455939232.0000000000592000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: ..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\x509\v3_purp.csetup_dpossl_x509v3_cache_extensionsALLRANDCIPHERSDIGESTSPKEYPKEY_CRYPTOPKEY_ASN1ENGINE_set_default_string..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\engine\eng_fat.cstr=%s..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\x509\x509_cmp.cossl_x509_add_cert_newX509_add_certX509_add_certs-fipsX509_check_private_keyossl_x509_check_private_key0123456789ABCDEFcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.4.0 22 Oct 20243.4.0built on: Thu Oct 24 07:45:18 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Data\Projects\OpenSSL\Build\msvc_v143_x64_release\lib\engines-3"MODULESDIR: "C:\Data\Projects\OpenSSL\Build\msvc_v143_x64_release\lib\ossl-modules"CPUINFO: N/AOSSL_WINCTX: Undefinednot available..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\x509\x_all.cSHA512SHAKE256SHA256X509_CRL_digest..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\pem\pem_info.cPEM_X509_INFO_read_bio_exX509 CERTIFICATETRUSTED CERTIFICATE source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmp
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeFile opened: C:\Users\user
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeFile opened: C:\Users\user\AppData
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49708 -> 104.21.2.160:443
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: api.freefilesync.org
Source: unknownHTTP traffic detected: POST /new_installation HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: */*User-Agent: FFS-InstallerContent-Length: 180Host: api.freefilesync.org
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://127.0.0.1:
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://127.0.0.1:GETacceptHTTP/1.0
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007FC6B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000031AF000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1567651536.00000000001ED000.00000004.00000010.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500372996.000001E769B55000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BBE3000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500517361.000001E76B91C000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000002.2437192640.00000235CBE78000.00000004.00000020.00020000.00000000.sdmp, is-EQ2P4.tmp.14.dr, is-7GL1G.tmp.14.drString found in binary or memory: http://ccsca2021.crl.certum.pl/ccsca2021.crl0s
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007FC6B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000031AF000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1567651536.00000000001ED000.00000004.00000010.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BBE3000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500517361.000001E76B91C000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000002.2437192640.00000235CBE78000.00000004.00000020.00020000.00000000.sdmp, is-EQ2P4.tmp.14.dr, is-7GL1G.tmp.14.drString found in binary or memory: http://ccsca2021.ocsp-certum.com05
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007FC6B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000031AF000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1567651536.00000000001ED000.00000004.00000010.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BC30000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500372996.000001E769B55000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BE4B000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE47000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BE5B000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE56000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1491318802.000001E76BE4B000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000003.1595410981.00000235CC0FB000.00000004.00000020.00020000.00000000.sdmp, is-EQ2P4.tmp.14.dr, is-7GL1G.tmp.14.drString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007FC6B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000031AF000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1567651536.00000000001ED000.00000004.00000010.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500372996.000001E769B55000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BBE3000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE47000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500517361.000001E76B91C000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE56000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000003.1595410981.00000235CC0FB000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000002.2437192640.00000235CBE98000.00000004.00000020.00020000.00000000.sdmp, is-EQ2P4.tmp.14.dr, is-7GL1G.tmp.14.drString found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007FC6B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000031AF000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1567651536.00000000001ED000.00000004.00000010.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500372996.000001E769B55000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BBE3000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500517361.000001E76B8E1000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE47000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1491318802.000001E76BC30000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE56000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000003.1595410981.00000235CC0FB000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000002.2437192640.00000235CBE98000.00000004.00000020.00020000.00000000.sdmp, is-EQ2P4.tmp.14.dr, is-7GL1G.tmp.14.drString found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1564596485.0000000002609000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://fsf.org/
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007FC6B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000031AF000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1567651536.00000000001ED000.00000004.00000010.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BBE3000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500517361.000001E76B91C000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000002.2437192640.00000235CBE78000.00000004.00000020.00020000.00000000.sdmp, is-EQ2P4.tmp.14.dr, is-7GL1G.tmp.14.drString found in binary or memory: http://repository.certum.pl/ccsca2021.cer0
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007FC6B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000031AF000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1567651536.00000000001ED000.00000004.00000010.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BC30000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500372996.000001E769B55000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BE4B000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE47000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BE5B000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE56000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1491318802.000001E76BE4B000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000003.1595410981.00000235CC0FB000.00000004.00000020.00020000.00000000.sdmp, is-EQ2P4.tmp.14.dr, is-7GL1G.tmp.14.drString found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007FC6B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000031AF000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1567651536.00000000001ED000.00000004.00000010.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500372996.000001E769B55000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500517361.000001E76B8E1000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE47000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500517361.000001E76B91C000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE56000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000003.1595410981.00000235CC0FB000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000002.2437192640.00000235CBE98000.00000004.00000020.00020000.00000000.sdmp, is-EQ2P4.tmp.14.dr, is-7GL1G.tmp.14.drString found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007FC6B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000031AF000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1567651536.00000000001ED000.00000004.00000010.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500372996.000001E769B55000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500517361.000001E76B8E1000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE47000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1491318802.000001E76BC30000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE56000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000003.1595410981.00000235CC0FB000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000002.2437192640.00000235CBE98000.00000004.00000020.00020000.00000000.sdmp, is-EQ2P4.tmp.14.dr, is-7GL1G.tmp.14.drString found in binary or memory: http://repository.certum.pl/ctsca2021.cer0A
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007FC6B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000031AF000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1567651536.00000000001ED000.00000004.00000010.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BC30000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500372996.000001E769B55000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BE4B000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE47000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BE5B000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE56000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1491318802.000001E76BE4B000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000003.1595410981.00000235CC0FB000.00000004.00000020.00020000.00000000.sdmp, is-EQ2P4.tmp.14.dr, is-7GL1G.tmp.14.drString found in binary or memory: http://subca.ocsp-certum.com01
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007FC6B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000031AF000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1567651536.00000000001ED000.00000004.00000010.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500372996.000001E769B55000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BBE3000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500517361.000001E76B8E1000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE47000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500517361.000001E76B91C000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE56000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000003.1595410981.00000235CC0FB000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000002.2437192640.00000235CBE98000.00000004.00000020.00020000.00000000.sdmp, is-EQ2P4.tmp.14.dr, is-7GL1G.tmp.14.drString found in binary or memory: http://subca.ocsp-certum.com02
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007FC6B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000031AF000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1567651536.00000000001ED000.00000004.00000010.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500372996.000001E769B55000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500517361.000001E76B8E1000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE47000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1491318802.000001E76BC30000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE56000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000003.1595410981.00000235CC0FB000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000002.2437192640.00000235CBE98000.00000004.00000020.00020000.00000000.sdmp, is-EQ2P4.tmp.14.dr, is-7GL1G.tmp.14.drString found in binary or memory: http://subca.ocsp-certum.com05
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007FC6B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000031AF000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1567651536.00000000001ED000.00000004.00000010.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BC30000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500372996.000001E769B55000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BE4B000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BBE3000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500517361.000001E76B8E1000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE47000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500517361.000001E76B91C000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BE5B000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE56000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1491318802.000001E76BE4B000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000003.1595410981.00000235CC0FB000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000002.2437192640.00000235CBE98000.00000004.00000020.00020000.00000000.sdmp, is-EQ2P4.tmp.14.dr, is-7GL1G.tmp.14.drString found in binary or memory: http://www.certum.pl/CPS0
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1292924391.00000000030A0000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000A.00000003.1298130882.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 0000000D.00000003.1571573159.0000000002743000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1562866707.0000000003832000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.dk-soft.org/
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmp, is-EQ2P4.tmp.14.dr, is-7GL1G.tmp.14.drString found in binary or memory: http://www.wxwidgets.org
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1579518337.0000000002BC6000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 0000000D.00000003.1571573159.0000000002846000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://FreeFileSync.org
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1579518337.0000000002BDC000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 0000000D.00000003.1571573159.000000000285C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://FreeFileSync.org/manual.php)
Source: FreeFileSync_13.9_Windows_Setup.tmp, 0000000A.00000003.1574858518.0000000002AEC000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1564596485.00000000026C4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://FreeFileSync.org/manual.php1
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1292924391.00000000030A0000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000A.00000003.1298130882.0000000003A00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://FreeFileSync.orgFhttps://FreeFileSync.org/manual.php
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://accounts.google.com/o/oauth2/v2/auth?
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://accounts.google.com/o/oauth2/v2/auth?login_hintMESSAGE_PLACEHOLDERYou
Source: FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1568826413.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1560397835.0000000000593000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.freefilesync.org/
Source: FreeFileSync_x64.exe, 00000017.00000002.2443679910.00000235CEA40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.freefilesync.org/FV
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://api.freefilesync.org/activate_installationvenosdusrmodzadf%231d34kjjfInstall.datosffsRequire
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://api.freefilesync.org/email_notifystatusokServer
Source: FreeFileSync_x64.exe, 00000017.00000002.2443679910.00000235CEA40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.freefilesync.org/j
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://api.freefilesync.org/latest_changes?
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://api.freefilesync.org/latest_changes?https://freefilesync.org/faq.php#donation-editionInvalid
Source: FreeFileSync_x64.exe, 00000017.00000002.2437192640.00000235CBF22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.freefilesync.org/latest_version
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://api.freefilesync.org/latest_versionUnexpected
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1292924391.00000000030A0000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000A.00000003.1298130882.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 0000000D.00000003.1571573159.00000000027EB000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1567119469.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1560239378.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1560397835.0000000000593000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1568826413.000000000059A000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549285688.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1564596485.0000000002609000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.14.drString found in binary or memory: https://api.freefilesync.org/new_installation
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://drive.google.com/drive/folders/Item
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/activate-installation.php?
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/activate-installation.php?Failed
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/business.php?
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/business.php?Invalid
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1292924391.00000000030A0000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000A.00000003.1298130882.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 0000000D.00000003.1571573159.00000000027EB000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1562866707.0000000003815000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1561332618.00000000035E6000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1564596485.0000000002609000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.14.drString found in binary or memory: https://freefilesync.org/donate
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/donateSupport
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1292924391.00000000030A0000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000A.00000003.1298130882.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 0000000D.00000003.1571573159.00000000027EB000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1569933140.0000000003A30000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1568512267.000000000054D000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1566581244.0000000000546000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1561332618.00000000035E6000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1564596485.0000000002609000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://freefilesync.org/faq.php#business
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1292924391.00000000030A0000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000A.00000003.1298130882.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 0000000D.00000003.1571573159.00000000027EB000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1569933140.0000000003A30000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1568512267.000000000054D000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1566581244.0000000000546000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1561332618.00000000035E6000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1564596485.0000000002609000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://freefilesync.org/faq.php#donation-edition
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/forum1.Activate
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/get_latest.phpos_version64ffs_variantos_namedip_scaleffs_lang32os_archDonat
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/images/FreeFileSync.png
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/images/log/
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/images/log/Items
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/images/log/clock.png
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/images/log/email_short_txtemail_short_htmlsync_resultprocessed_itemsprocess
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/images/log/file.png
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/images/log/log.png
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/images/log/msg-error.png
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/images/log/msg-warning.png
Source: is-81S7P.tmp.14.drString found in binary or memory: https://freefilesync.org/manual.php?topic=command-line)
Source: is-81S7P.tmp.14.drString found in binary or memory: https://freefilesync.org/manual.php?topic=comparison-settings)
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/manual.php?topic=comparison-settingsHandle
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/manual.php?topic=daylight-saving-time1
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/manual.php?topic=exclude-filesInclude:Local
Source: is-81S7P.tmp.14.drString found in binary or memory: https://freefilesync.org/manual.php?topic=expert-settings)
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/manual.php?topic=expert-settingsA
Source: FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, is-7GL1G.tmp.14.drString found in binary or memory: https://freefilesync.org/manual.php?topic=expert-settingsAvmSnd.dllFailed
Source: is-EQ2P4.tmp.14.drString found in binary or memory: https://freefilesync.org/manual.php?topic=expert-settingsThe
Source: FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, is-7GL1G.tmp.14.drString found in binary or memory: https://freefilesync.org/manual.php?topic=expert-settingsfreefilesync.org
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/manual.php?topic=external-applicationsParent
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/manual.php?topic=freefilesync
Source: is-81S7P.tmp.14.drString found in binary or memory: https://freefilesync.org/manual.php?topic=ftp-setup)
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/manual.php?topic=ftp-setupAccess
Source: is-81S7P.tmp.14.drString found in binary or memory: https://freefilesync.org/manual.php?topic=macros)
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/manual.php?topic=performanceParallel
Source: FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, is-7GL1G.tmp.14.drString found in binary or memory: https://freefilesync.org/manual.php?topic=realtimesync&View
Source: is-EQ2P4.tmp.14.drString found in binary or memory: https://freefilesync.org/manual.php?topic=realtimesyncBrowseIdle
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/manual.php?topic=schedule-a-batch-job&CancelThe
Source: is-81S7P.tmp.14.drString found in binary or memory: https://freefilesync.org/manual.php?topic=schedule-batch-jobs)
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/manual.php?topic=synchronization-settingsDetect
Source: is-81S7P.tmp.14.drString found in binary or memory: https://freefilesync.org/manual.php?topic=variable-drive-letters)
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/manual.php?topic=versioningMove
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/thank-you.php?
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/thank-you.php?Invalid
Source: is-81S7P.tmp.14.drString found in binary or memory: https://freefilesync.org/tutorials.php)
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmp, is-EQ2P4.tmp.14.drString found in binary or memory: https://github.com/keymanapp/keyman/issues/1723The
Source: FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, is-7GL1G.tmp.14.drString found in binary or memory: https://github.com/keymanapp/keyman/issues/1723keyman64.dllFailed
Source: FreeFileSync_13.9_Windows_Setup.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: is-81S7P.tmp.14.drString found in binary or memory: https://winmerge.org/)
Source: FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1564596485.0000000002609000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007FC6B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000031AF000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1567651536.00000000001ED000.00000004.00000010.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500372996.000001E769B55000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BBE3000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500517361.000001E76B8E1000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE47000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500517361.000001E76B91C000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1491318802.000001E76BC30000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE56000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000003.1595410981.00000235CC0FB000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000002.2437192640.00000235CBE98000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000002.2437192640.00000235CBE78000.00000004.00000020.00020000.00000000.sdmp, is-EQ2P4.tmp.14.dr, is-7GL1G.tmp.14.drString found in binary or memory: https://www.certum.pl/CPS0
Source: is-81S7P.tmp.14.drString found in binary or memory: https://www.codeproject.com/Articles/1144/Beating-the-Daylight-Savings-Time-bug-and-getting)
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://www.google.com/Multiple
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://www.googleapis.com/
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://www.googleapis.com//upload/drive/v3/files?googleapis.comInvalid
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://www.googleapis.com/auth/drive
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://www.googleapis.com/auth/driveresponse_typecode_challengescopeUnexpected
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000030A0000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007F97B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000A.00000000.1296410030.0000000000371000.00000020.00000001.01000000.00000007.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000000.1306880426.0000000000ABD000.00000020.00000001.01000000.00000009.sdmpString found in binary or memory: https://www.innosetup.com/
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000030A0000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007F97B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000A.00000000.1296410030.0000000000371000.00000020.00000001.01000000.00000007.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000000.1306880426.0000000000ABD000.00000020.00000001.01000000.00000009.sdmpString found in binary or memory: https://www.remobjects.com/ps
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownHTTPS traffic detected: 104.21.2.160:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.2.160:443 -> 192.168.2.16:49709 version: TLS 1.2
Source: C:\Windows\System32\SIHClient.exeFile created: C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMP41C2.tmpJump to behavior
Source: C:\Windows\System32\SIHClient.exeFile created: C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMPD4BC.tmpJump to behavior
Source: FreeFileSync_13.9_Windows_Setup.tmp.9.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: FreeFileSync_13.9_Windows_Setup.tmp.13.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-EQHL2.tmp.14.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-EQHL2.tmp.14.drStatic PE information: Number of sections : 11 > 10
Source: FreeFileSync_13.9_Windows_Setup.tmp.13.drStatic PE information: Number of sections : 11 > 10
Source: FreeFileSync_13.9_Windows_Setup.tmp.9.drStatic PE information: Number of sections : 11 > 10
Source: is-7GL1G.tmp.14.drBinary string: .tmpContract error: close() called more than once.Cannot open file %x.CloseHandleAssertion failed: "bytesRead <= bytesToRead"C:\Data\Projects\zen\file_io.cppSetFileInformationByHandleInvalid file name %x ends with a dot character.C:\Data\Projects\zen\serialize.h\\?\\\?\UNC\\\\\?\UNC\\\?\GLOBALROOT\Device\CompareStringOrdinal] Error comparing strings:Unexpected return value: \\?\GLOBALROOT\Device\C:\Data\Projects\zen\file_path.cpp\\?\Volume{\SystemRoot\\??\UNC\\Device\SystemRoot
Source: is-EQ2P4.tmp.14.drBinary string: @xA.tmpContract error: close() called more than once.Cannot open file %x.CloseHandleAssertion failed: "bytesRead <= bytesToRead"C:\Data\Projects\zen\file_io.cppSetFileInformationByHandleInvalid file name %x ends with a dot character.C:\Data\Projects\zen\serialize.h\\?\\\?\UNC\\\?\GLOBALROOT\Device\\\?:\[\\?\UNC\Unexpected return value: CompareStringOrdinalC:\Data\Projects\zen\file_path.cpp] Error comparing strings:\\?\Volume{\\?\GLOBALROOT\Device\\??\UNC\\??\SystemRoot\SystemRoot\\Device\
Source: is-7GL1G.tmp.14.drBinary string: \\?\GLOBALROOT\Device\
Source: is-7GL1G.tmp.14.drBinary string: \Device\
Source: classification engineClassification label: mal52.evad.winZIP@21/73@1/1
Source: is-81S7P.tmp.14.drInitial sample: https://devblogs.microsoft.com/oldnewthing/?p=6563
Source: is-81S7P.tmp.14.drInitial sample: https://freefilesync.org/manual.php?topic=schedule-batch-jobs
Source: is-81S7P.tmp.14.drInitial sample: https://freefilesync.org/manual.php?topic=macros
Source: is-81S7P.tmp.14.drInitial sample: https://freefilesync.org/manual.php?topic=command-line
Source: is-81S7P.tmp.14.drInitial sample: https://freefilesync.org/manual.php?topic=expert-settings
Source: is-81S7P.tmp.14.drInitial sample: https://winmerge.org/
Source: is-81S7P.tmp.14.drInitial sample: https://freefilesync.org/manual.php?topic=ftp-setup
Source: is-81S7P.tmp.14.drInitial sample: https://freefilesync.org/tutorials.php
Source: is-81S7P.tmp.14.drInitial sample: https://www.codeproject.com/Articles/1144/Beating-the-Daylight-Savings-Time-bug-and-getting
Source: is-81S7P.tmp.14.drInitial sample: https://www.codeproject.com/articles/1144/beating-the-daylight-savings-time-bug-and-getting
Source: is-81S7P.tmp.14.drInitial sample: https://freefilesync.org/manual.php?topic=variable-drive-letters
Source: is-81S7P.tmp.14.drInitial sample: https://freefilesync.org/manual.php?topic=comparison-settings
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Program Files\FreeFileSyncJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Users\Public\Desktop\FreeFileSync.lnkJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\SIHClient.exeMutant created: {376155FF-95A0-46CA-8F57-ACB09EA70153}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6988:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeFile created: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: FreeFileSync_13.9_Windows_Setup.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeFile read: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeJump to behavior
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv dJzNCxikgEKhZUcQhpdb9w.0.2
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe"
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmp "C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmp" /SL5="$70274,19508176,913920,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe"
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe" /SPAWNWND=$402E4 /NOTIFYWND=$70274
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp "C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp" /SL5="$60232,19508176,913920,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe" /SPAWNWND=$402E4 /NOTIFYWND=$70274
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-C4603.tmp\FreeFileSync.exe "C:\Users\user\AppData\Local\Temp\is-C4603.tmp\FreeFileSync.exe" ffs_setup_convert_jpg_to_bmp "C:\Users\user\AppData\Local\Temp\is-C4603.tmp\img_38.jpg"
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess 'C:\Program Files\FreeFileSync\Bin\*'"
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess created: C:\Program Files\FreeFileSync\FreeFileSync.exe "C:\Program Files\FreeFileSync\FreeFileSync.exe" ffs_setup_finalize
Source: C:\Program Files\FreeFileSync\FreeFileSync.exeProcess created: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe "C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe" ffs_setup_finalize
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknownProcess created: C:\Program Files\FreeFileSync\FreeFileSync.exe "C:\Program Files\FreeFileSync\FreeFileSync.exe"
Source: C:\Program Files\FreeFileSync\FreeFileSync.exeProcess created: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe "C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe"
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmp "C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmp" /SL5="$70274,19508176,913920,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp "C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp" /SL5="$60232,19508176,913920,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe" /SPAWNWND=$402E4 /NOTIFYWND=$70274 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-C4603.tmp\FreeFileSync.exe "C:\Users\user\AppData\Local\Temp\is-C4603.tmp\FreeFileSync.exe" ffs_setup_convert_jpg_to_bmp "C:\Users\user\AppData\Local\Temp\is-C4603.tmp\img_38.jpg"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess 'C:\Program Files\FreeFileSync\Bin\*'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess created: C:\Program Files\FreeFileSync\FreeFileSync.exe "C:\Program Files\FreeFileSync\FreeFileSync.exe" ffs_setup_finalizeJump to behavior
Source: C:\Program Files\FreeFileSync\FreeFileSync.exeProcess created: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe "C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe" ffs_setup_finalizeJump to behavior
Source: C:\Program Files\FreeFileSync\FreeFileSync.exeProcess created: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe "C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe"
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: pcacli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: msftedit.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: windows.globalization.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: globinputhost.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: windows.ui.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: inputhost.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: winhttpcom.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: webio.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C4603.tmp\FreeFileSync.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C4603.tmp\FreeFileSync.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C4603.tmp\FreeFileSync.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C4603.tmp\FreeFileSync.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C4603.tmp\FreeFileSync.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C4603.tmp\FreeFileSync.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\FreeFileSync\FreeFileSync.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Program Files\FreeFileSync\FreeFileSync.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Program Files\FreeFileSync\FreeFileSync.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Program Files\FreeFileSync\FreeFileSync.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files\FreeFileSync\FreeFileSync.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: oleacc.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: uxtheme.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: mpr.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: propsys.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: version.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: msimg32.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: msasn1.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: windows.storage.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: wldp.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: iphlpapi.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: windowscodecs.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: profapi.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: linkinfo.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: cryptsp.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: rsaenh.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: cryptbase.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
Source: C:\Program Files\FreeFileSync\FreeFileSync.exeSection loaded: rstrtmgr.dll
Source: C:\Program Files\FreeFileSync\FreeFileSync.exeSection loaded: ncrypt.dll
Source: C:\Program Files\FreeFileSync\FreeFileSync.exeSection loaded: ntasn1.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: oleacc.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: uxtheme.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: mpr.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: propsys.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: version.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: msimg32.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: msasn1.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: windows.storage.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: wldp.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: iphlpapi.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: windowscodecs.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: profapi.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: linkinfo.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: cryptsp.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: rsaenh.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: cryptbase.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: msisip.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: wshext.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: appxsip.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: opcservices.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: esdsip.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: gpapi.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: textshaping.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: thumbcache.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: policymanager.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: msvcp110_win.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: dataexchange.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: d3d11.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: dcomp.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: dxgi.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: twinapi.appcore.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: textinputframework.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: coreuicomponents.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: coremessaging.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: ntmarta.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: wintypes.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: wintypes.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: wintypes.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: wininet.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: iertutil.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: sspicli.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: winhttp.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: mswsock.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: winnsi.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: urlmon.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: srvcli.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: netutils.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: dnsapi.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: rasadhlp.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: fwpuclnt.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: schannel.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: mskeyprotect.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: ntasn1.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: dpapi.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: ncrypt.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: ncryptsslp.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: explorerframe.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: winmm.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: winmmbase.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: mmdevapi.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: devobj.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: ksuser.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: avrt.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: audioses.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: powrprof.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: umpdc.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: msacm32.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: midimap.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: dui70.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: duser.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: dwmapi.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: edputil.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: windows.ui.fileexplorer.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: assignedaccessruntime.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: xmllite.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: windows.fileexplorer.common.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: structuredquery.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: atlthunk.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: windows.storage.search.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: twinapi.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: ntshrui.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: cscapi.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: actxprxy.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: apphelp.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: ehstorshell.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: networkexplorer.dll
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: cscui.dll
Source: C:\Windows\System32\SIHClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{07369A67-07A6-4608-ABEA-379491CB7C46}\InprocServer32Jump to behavior
Source: FreeFileSync.lnk.14.drLNK file: ..\..\..\Program Files\FreeFileSync\FreeFileSync.exe
Source: RealTimeSync.lnk.14.drLNK file: ..\..\..\Program Files\FreeFileSync\RealTimeSync.exe
Source: FreeFileSync.lnk0.14.drLNK file: ..\..\..\..\..\Program Files\FreeFileSync\FreeFileSync.exe
Source: RealTimeSync.lnk0.14.drLNK file: ..\..\..\..\..\Program Files\FreeFileSync\RealTimeSync.exe
Source: FreeFileSync.lnk1.14.drLNK file: ..\..\..\..\..\..\..\Program Files\FreeFileSync\FreeFileSync.exe
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpWindow found: window name: TMainFormJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLLJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeWindow detected: Number of UI elements: 52
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeWindow detected: Number of UI elements: 52
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeWindow detected: Number of UI elements: 52
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeWindow detected: Number of UI elements: 13
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSyncJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\UninstallJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Uninstall\unins000.datJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Uninstall\is-EQHL2.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\is-8FVAV.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\is-81S7P.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\is-TKF44.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\is-J31F1.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\is-J98NS.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\ResourcesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-ULEV9.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-SMVCI.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-A5FO7.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-T210P.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-RASIR.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-I98HC.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-D7MVB.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-OU4FF.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-VNAJ7.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-8TU6B.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-KIH76.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-94DHL.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-R2L57.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\BinJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Bin\is-PP537.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Bin\is-MAE6G.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Bin\is-EQ2P4.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Bin\is-7GL1G.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Uninstall\unins000.msgJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\Animal.datJump to behavior
Source: MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zipStatic file information: File size 20159091 > 1048576
Source: Binary string: C:\Data\Projects\FreeFileSync\Build\FreeFileSync.pdbB source: FreeFileSync.exe, 0000000F.00000000.1312796845.0000000000C86000.00000002.00000001.01000000.0000000A.sdmp, FreeFileSync.exe, 00000012.00000000.1455939232.0000000000592000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: C:\Data\Projects\FreeFileSync\Build\Bin\FreeFileSync_x64.pdb source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: C:\Data\Projects\FreeFileSync\Build\Bin\RealTimeSync_Win32.pdb source: is-EQ2P4.tmp.14.dr
Source: Binary string: C:\Data\Projects\FreeFileSync\Build\Bin\RealTimeSync_x64.pdb source: FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, is-7GL1G.tmp.14.dr
Source: Binary string: ..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\engine\tb_rand.c..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\x509\x509_obj.cNO X509_NAMEX509_NAME_onelinecompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";os-specificCPUINFO: ..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\asn1\a_d2i_fp.casn1_d2i_read_biotimed out source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: C:\Data\Projects\FreeFileSync\Build\FreeFileSync.pdb source: FreeFileSync.exe, 0000000F.00000000.1312796845.0000000000C86000.00000002.00000001.01000000.0000000A.sdmp, FreeFileSync.exe, 00000012.00000000.1455939232.0000000000592000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: ..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\x509\v3_purp.csetup_dpossl_x509v3_cache_extensionsALLRANDCIPHERSDIGESTSPKEYPKEY_CRYPTOPKEY_ASN1ENGINE_set_default_string..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\engine\eng_fat.cstr=%s..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\x509\x509_cmp.cossl_x509_add_cert_newX509_add_certX509_add_certs-fipsX509_check_private_keyossl_x509_check_private_key0123456789ABCDEFcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.4.0 22 Oct 20243.4.0built on: Thu Oct 24 07:45:18 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Data\Projects\OpenSSL\Build\msvc_v143_x64_release\lib\engines-3"MODULESDIR: "C:\Data\Projects\OpenSSL\Build\msvc_v143_x64_release\lib\ossl-modules"CPUINFO: N/AOSSL_WINCTX: Undefinednot available..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\x509\x_all.cSHA512SHAKE256SHA256X509_CRL_digest..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\pem\pem_info.cPEM_X509_INFO_read_bio_exX509 CERTIFICATETRUSTED CERTIFICATE source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmp
Source: FreeFileSync_13.9_Windows_Setup.tmp.9.drStatic PE information: section name: .didata
Source: FreeFileSync_13.9_Windows_Setup.tmp.13.drStatic PE information: section name: .didata
Source: is-EQHL2.tmp.14.drStatic PE information: section name: .didata
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Program Files\FreeFileSync\is-TKF44.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Program Files\FreeFileSync\Bin\FreeFileSync_Win32.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Users\user\AppData\Local\Temp\is-C4603.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Program Files\FreeFileSync\Uninstall\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Users\user\AppData\Local\Temp\is-C4603.tmp\FreeFileSync.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Program Files\FreeFileSync\Bin\RealTimeSync_x64.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Program Files\FreeFileSync\is-J31F1.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Program Files\FreeFileSync\Bin\is-7GL1G.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Program Files\FreeFileSync\Bin\is-MAE6G.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Program Files\FreeFileSync\RealTimeSync.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeFile created: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Program Files\FreeFileSync\Bin\is-EQ2P4.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Program Files\FreeFileSync\Bin\RealTimeSync_Win32.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Program Files\FreeFileSync\Uninstall\is-EQHL2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Program Files\FreeFileSync\Bin\is-PP537.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeFile created: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Program Files\FreeFileSync\FreeFileSync.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FreeFileSync.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RealTimeSync.lnkJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: is-EQ2P4.tmp.14.drBinary or memory string: HTTPS://FREEFILESYNC.ORG/MANUAL.PHP?TOPIC=EXPERT-SETTINGSTHE AVAST VIRUS SCANNER WAS FOUND ON YOUR SYSTEM (%X) AND APPARENTLY CAUSED FREEFILESYNC TO CRASH DURING SOUND PLAYBACK.FAILED TO GET FILE INFO FOR "ASWHOOK.DLL": FREEFILESYNC.ORG TO RESOLVE THE PROBLEM:
Source: is-EQ2P4.tmp.14.drBinary or memory string: IN ORDER TO AVOID CRASHING, EITHER UNINSTALL "VISUAL STUDIO 2022 PREVIEW", OR UPDATE TO A NEWER VERSION.FAILED TO GET CRASH INFO FOR "VSFILEHANDLER_64.DLL": ASWHOOK.DLLWINMM.DLL
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: IN ORDER TO AVOID CRASHING, EITHER UNINSTALL "NVIDIA NVIEW DESKTOP MANAGER" VERSION 148.47, OR UPDATE YOUR NVIDIA GRAPHICS CARD DRIVERS TO A NEWER VERSION.) WAS FOUND ON YOUR SYSTEM AND APPARENTLY CAUSED FREEFILESYNC TO CRASH.FAILED TO GET CRASH INFO FOR "VSFILEHANDLER_64.DLL": ASWHOOK.DLLVSFILEHANDLER_64.DLL
Source: FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, is-7GL1G.tmp.14.drBinary or memory string: IN ORDER TO AVOID CRASHING, EITHER UNINSTALL "VISUAL STUDIO 2022 PREVIEW", OR UPDATE TO A NEWER VERSION.WINMM.DLLASWHOOK.DLLTHE AVAST VIRUS SCANNER WAS FOUND ON YOUR SYSTEM (%X) AND APPARENTLY CAUSED FREEFILESYNC TO CRASH DURING SOUND PLAYBACK.
Source: FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, is-7GL1G.tmp.14.drBinary or memory string: 3. SEND THE LINKFAILED TO GET FILE INFO FOR "ASWHOOK.DLL": A CRASH DUMP FILE WAS WRITTEN:
Source: FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: IN ORDER TO AVOID CRASHING, EITHER UNINSTALL "VISUAL STUDIO 2022 PREVIEW", OR UPDATE TO A NEWER VERSION.THE AVAST VIRUS SCANNER WAS FOUND ON YOUR SYSTEM (%X) AND APPARENTLY CAUSED FREEFILESYNC TO CRASH DURING SOUND PLAYBACK.FAILED TO GET FILE INFO FOR "ASWHOOK.DLL": WINMM.DLL
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3767Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5946Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDropped PE file which has not been started: C:\Program Files\FreeFileSync\Bin\FreeFileSync_Win32.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-C4603.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDropped PE file which has not been started: C:\Program Files\FreeFileSync\Bin\RealTimeSync_x64.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDropped PE file which has not been started: C:\Program Files\FreeFileSync\is-J31F1.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDropped PE file which has not been started: C:\Program Files\FreeFileSync\Bin\is-7GL1G.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDropped PE file which has not been started: C:\Program Files\FreeFileSync\RealTimeSync.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDropped PE file which has not been started: C:\Program Files\FreeFileSync\Bin\is-EQ2P4.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDropped PE file which has not been started: C:\Program Files\FreeFileSync\Bin\RealTimeSync_Win32.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpDropped PE file which has not been started: C:\Program Files\FreeFileSync\Bin\is-PP537.tmpJump to dropped file
Source: C:\Windows\System32\SIHClient.exe TID: 7140Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp TID: 1088Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4696Thread sleep time: -3689348814741908s >= -30000sJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeFile opened: PhysicalDrive0
Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeFile opened: C:\Users\user
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeFile opened: C:\Users\user\AppData
Source: FreeFileSync_13.9_Windows_Setup.exeBinary or memory string: 7xwVMcI
Source: SIHClient.exe, 00000003.00000003.1258282177.000001CB72DFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWpr
Source: FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1560397835.0000000000593000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
Source: FreeFileSync_13.9_Windows_Setup.tmp, 0000000A.00000002.1576645157.0000000000C5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: is-VNAJ7.tmp.14.drBinary or memory string: #1DQemu}}
Source: FreeFileSync_x64.exe, 00000017.00000002.2448708744.00000235CECDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#4&D
Source: SIHClient.exe, 00000003.00000003.1257859381.000001CB72E4D000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549285688.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000003.1932882234.00000235CEBFE000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000002.2424058446.00000235C9C46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: FreeFileSync_13.9_Windows_Setup.tmp, 0000000A.00000002.1576645157.0000000000C5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549461333.00000000005C0000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1567328865.00000000005CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
Source: FreeFileSync_x64.exe, 00000017.00000002.2437192640.00000235CC167000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWdClass
Source: SIHClient.exe, 00000003.00000003.1632237253.000001CB72E56000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000003.00000003.1257859381.000001CB72E4D000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000003.00000002.1640296364.000001CB72E57000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000003.00000003.1636361380.000001CB72E57000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000003.00000003.1258528089.000001CB72E56000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW"+
Source: FreeFileSync_x64.exe, 00000017.00000003.1932882234.00000235CED03000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: user-PC\userWdtPWdtPWdtP6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}leBins
Source: FreeFileSync_x64.exe, 00000013.00000002.1499084639.000001E76982E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess token adjusted: Debug
Source: C:\Program Files\FreeFileSync\FreeFileSync.exeProcess created: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe "C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe" ffs_setup_finalizeJump to behavior
Source: C:\Program Files\FreeFileSync\FreeFileSync.exeProcess created: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe "C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe"
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp "c:\users\user\appdata\local\temp\is-kllab.tmp\freefilesync_13.9_windows_setup.tmp" /sl5="$60232,19508176,913920,c:\users\user\appdata\local\temp\temp1_mde_file_sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\freefilesync_13.9_windows_setup.exe" /spawnwnd=$402e4 /notifywnd=$70274
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp "c:\users\user\appdata\local\temp\is-kllab.tmp\freefilesync_13.9_windows_setup.tmp" /sl5="$60232,19508176,913920,c:\users\user\appdata\local\temp\temp1_mde_file_sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\freefilesync_13.9_windows_setup.exe" /spawnwnd=$402e4 /notifywnd=$70274 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C4603.tmp\FreeFileSync.exeQueries volume information: C:\Users\user\AppData\Local\Temp\is-C4603.tmp\img_38.jpg VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeQueries volume information: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe VolumeInformation
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E BlobJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeDirectory queried: C:\Users\user\Documents
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeDirectory queried: C:\Users\user\Documents
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeDirectory queried: C:\Users\user\Documents
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeDirectory queried: C:\Users\user\Documents
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeDirectory queried: C:\Users\user\Documents\Outlook Files

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Spearphishing Link		2
Windows Management Instrumentation		1
Registry Run Keys / Startup Folder		11
Process Injection		13
Masquerading		OS Credential Dumping1
Query Registry		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts12
Command and Scripting Interpreter		1
DLL Side-Loading		1
Registry Run Keys / Startup Folder		1
Disable or Modify Tools		LSASS Memory121
Security Software Discovery		Remote Desktop Protocol1
Data from Local System		2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		41
Virtualization/Sandbox Evasion		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS41
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Rundll32		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials2
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
Remote System Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem12
File and Directory Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow42
System Information Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1583314 Sample: MDE_File_Sample_017466bb6ff... Startdate: 02/01/2025 Architecture: WINDOWS Score: 52 58 api.freefilesync.org 2->58 64 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->64 66 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->66 11 FreeFileSync_13.9_Windows_Setup.exe 2 2->11         started        14 rundll32.exe 2->14         started        16 FreeFileSync.exe 2->16         started        signatures3 process4 file5 48 C:\...\FreeFileSync_13.9_Windows_Setup.tmp, PE32 11->48 dropped 18 FreeFileSync_13.9_Windows_Setup.tmp 1 11->18         started        20 SIHClient.exe 6 14->20         started        22 FreeFileSync_x64.exe 16->22         started        process6 process7 24 FreeFileSync_13.9_Windows_Setup.exe 2 18->24         started        file8 46 C:\...\FreeFileSync_13.9_Windows_Setup.tmp, PE32 24->46 dropped 27 FreeFileSync_13.9_Windows_Setup.tmp 50 41 24->27         started        process9 dnsIp10 60 api.freefilesync.org 104.21.2.160, 443, 49708, 49709 CLOUDFLARENETUS United States 27->60 50 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 27->50 dropped 52 C:\Users\user\AppData\...\FreeFileSync.exe, PE32 27->52 dropped 54 C:\Program Files\FreeFileSync\is-TKF44.tmp, PE32 27->54 dropped 56 13 other files (none is malicious) 27->56 dropped 70 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 27->70 32 powershell.exe 23 27->32         started        35 FreeFileSync.exe 27->35         started        37 FreeFileSync.exe 1 27->37         started        file11 signatures12 process13 signatures14 62 Loading BitLocker PowerShell Module 32->62 39 conhost.exe 32->39         started        41 WmiPrvSE.exe 32->41         started        43 FreeFileSync_x64.exe 35->43         started        process15 signatures16 68 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 43->68

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files\FreeFileSync\Bin\FreeFileSync_Win32.exe (copy)0%ReversingLabs
C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe (copy)0%ReversingLabs
C:\Program Files\FreeFileSync\Bin\RealTimeSync_Win32.exe (copy)0%ReversingLabs
C:\Program Files\FreeFileSync\Bin\RealTimeSync_x64.exe (copy)0%ReversingLabs
C:\Program Files\FreeFileSync\Bin\is-7GL1G.tmp0%ReversingLabs
C:\Program Files\FreeFileSync\Bin\is-EQ2P4.tmp0%ReversingLabs
C:\Program Files\FreeFileSync\Bin\is-MAE6G.tmp0%ReversingLabs
C:\Program Files\FreeFileSync\Bin\is-PP537.tmp0%ReversingLabs
C:\Program Files\FreeFileSync\FreeFileSync.exe (copy)0%ReversingLabs
C:\Program Files\FreeFileSync\RealTimeSync.exe (copy)0%ReversingLabs
C:\Program Files\FreeFileSync\Uninstall\is-EQHL2.tmp0%ReversingLabs
C:\Program Files\FreeFileSync\Uninstall\unins000.exe (copy)0%ReversingLabs
C:\Program Files\FreeFileSync\is-J31F1.tmp0%ReversingLabs
C:\Program Files\FreeFileSync\is-TKF44.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-C4603.tmp\FreeFileSync.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-C4603.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://127.0.0.1:GETacceptHTTP/1.00%Avira URL Cloudsafe
https://api.freefilesync.org/latest_version0%Avira URL Cloudsafe
http://www.wxwidgets.org0%Avira URL Cloudsafe
https://api.freefilesync.org/0%Avira URL Cloudsafe
https://api.freefilesync.org/email_notifystatusokServer0%Avira URL Cloudsafe
https://api.freefilesync.org/FV0%Avira URL Cloudsafe
https://api.freefilesync.org/activate_installationvenosdusrmodzadf%231d34kjjfInstall.datosffsRequire0%Avira URL Cloudsafe
https://api.freefilesync.org/latest_changes?https://freefilesync.org/faq.php#donation-editionInvalid0%Avira URL Cloudsafe
https://api.freefilesync.org/j0%Avira URL Cloudsafe
https://api.freefilesync.org/latest_changes?0%Avira URL Cloudsafe
https://api.freefilesync.org/new_installation0%Avira URL Cloudsafe
https://FreeFileSync.orgFhttps://FreeFileSync.org/manual.php0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
api.freefilesync.org
104.21.2.160
truefalse
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://api.freefilesync.org/latest_versionfalse
    • Avira URL Cloud: safe
    		unknown
    https://api.freefilesync.org/new_installationfalse
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://freefilesync.org/manual.php?topic=ftp-setupAccessFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
      		high
      https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUFreeFileSync_13.9_Windows_Setup.exefalse
        		high
        http://repository.certum.pl/ctsca2021.cer0AFreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007FC6B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000031AF000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1567651536.00000000001ED000.00000004.00000010.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500372996.000001E769B55000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500517361.000001E76B8E1000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE47000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1491318802.000001E76BC30000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE56000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000003.1595410981.00000235CC0FB000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000002.2437192640.00000235CBE98000.00000004.00000020.00020000.00000000.sdmp, is-EQ2P4.tmp.14.dr, is-7GL1G.tmp.14.drfalse
          		high
          http://crl.certum.pl/ctsca2021.crl0oFreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007FC6B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000031AF000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1567651536.00000000001ED000.00000004.00000010.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500372996.000001E769B55000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BBE3000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500517361.000001E76B8E1000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE47000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1491318802.000001E76BC30000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE56000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000003.1595410981.00000235CC0FB000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000002.2437192640.00000235CBE98000.00000004.00000020.00020000.00000000.sdmp, is-EQ2P4.tmp.14.dr, is-7GL1G.tmp.14.drfalse
            		high
            https://freefilesync.org/business.php?InvalidFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
              		high
              https://drive.google.com/drive/folders/ItemFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                		high
                https://freefilesync.org/images/log/msg-warning.pngFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                  		high
                  http://ccsca2021.crl.certum.pl/ccsca2021.crl0sFreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007FC6B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000031AF000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1567651536.00000000001ED000.00000004.00000010.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500372996.000001E769B55000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BBE3000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500517361.000001E76B91C000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000002.2437192640.00000235CBE78000.00000004.00000020.00020000.00000000.sdmp, is-EQ2P4.tmp.14.dr, is-7GL1G.tmp.14.drfalse
                    		high
                    http://127.0.0.1:GETacceptHTTP/1.0FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://freefilesync.org/images/log/clock.pngFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                      		high
                      https://api.freefilesync.org/FVFreeFileSync_x64.exe, 00000017.00000002.2443679910.00000235CEA40000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://api.freefilesync.org/jFreeFileSync_x64.exe, 00000017.00000002.2443679910.00000235CEA40000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://repository.certum.pl/ccsca2021.cer0FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007FC6B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000031AF000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1567651536.00000000001ED000.00000004.00000010.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BBE3000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500517361.000001E76B91C000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000002.2437192640.00000235CBE78000.00000004.00000020.00020000.00000000.sdmp, is-EQ2P4.tmp.14.dr, is-7GL1G.tmp.14.drfalse
                        		high
                        https://freefilesync.org/images/log/ItemsFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                          		high
                          https://freefilesync.org/manual.php?topic=ftp-setup)is-81S7P.tmp.14.drfalse
                            		high
                            https://api.freefilesync.org/FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1568826413.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1560397835.0000000000593000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://freefilesync.org/manual.php?topic=schedule-a-batch-job&CancelTheFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                              		high
                              https://curl.se/docs/hsts.htmlFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                		high
                                https://github.com/keymanapp/keyman/issues/1723keyman64.dllFailedFreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, is-7GL1G.tmp.14.drfalse
                                  		high
                                  http://www.wxwidgets.orgFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmp, is-EQ2P4.tmp.14.dr, is-7GL1G.tmp.14.drfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://freefilesync.org/manual.php?topic=realtimesync&ViewFreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, is-7GL1G.tmp.14.drfalse
                                    		high
                                    http://subca.ocsp-certum.com05FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007FC6B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000031AF000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1567651536.00000000001ED000.00000004.00000010.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500372996.000001E769B55000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500517361.000001E76B8E1000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE47000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1491318802.000001E76BC30000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE56000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000003.1595410981.00000235CC0FB000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000002.2437192640.00000235CBE98000.00000004.00000020.00020000.00000000.sdmp, is-EQ2P4.tmp.14.dr, is-7GL1G.tmp.14.drfalse
                                      		high
                                      https://www.remobjects.com/psFreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000030A0000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007F97B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000A.00000000.1296410030.0000000000371000.00000020.00000001.01000000.00000007.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000000.1306880426.0000000000ABD000.00000020.00000001.01000000.00000009.sdmpfalse
                                        		high
                                        https://github.com/keymanapp/keyman/issues/1723TheFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmp, is-EQ2P4.tmp.14.drfalse
                                          		high
                                          http://subca.ocsp-certum.com02FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007FC6B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000031AF000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1567651536.00000000001ED000.00000004.00000010.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500372996.000001E769B55000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BBE3000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500517361.000001E76B8E1000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE47000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500517361.000001E76B91C000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE56000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000003.1595410981.00000235CC0FB000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000002.2437192640.00000235CBE98000.00000004.00000020.00020000.00000000.sdmp, is-EQ2P4.tmp.14.dr, is-7GL1G.tmp.14.drfalse
                                            		high
                                            http://subca.ocsp-certum.com01FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007FC6B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000031AF000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1567651536.00000000001ED000.00000004.00000010.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BC30000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500372996.000001E769B55000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BE4B000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE47000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BE5B000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE56000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1491318802.000001E76BE4B000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000003.1595410981.00000235CC0FB000.00000004.00000020.00020000.00000000.sdmp, is-EQ2P4.tmp.14.dr, is-7GL1G.tmp.14.drfalse
                                              		high
                                              https://www.innosetup.com/FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000030A0000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007F97B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000A.00000000.1296410030.0000000000371000.00000020.00000001.01000000.00000007.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000000.1306880426.0000000000ABD000.00000020.00000001.01000000.00000009.sdmpfalse
                                                		high
                                                http://crl.certum.pl/ctnca2.crl0lFreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007FC6B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000031AF000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1567651536.00000000001ED000.00000004.00000010.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500372996.000001E769B55000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BBE3000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE47000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500517361.000001E76B91C000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE56000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000003.1595410981.00000235CC0FB000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000002.2437192640.00000235CBE98000.00000004.00000020.00020000.00000000.sdmp, is-EQ2P4.tmp.14.dr, is-7GL1G.tmp.14.drfalse
                                                  		high
                                                  http://repository.certum.pl/ctnca2.cer09FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007FC6B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000031AF000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1567651536.00000000001ED000.00000004.00000010.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500372996.000001E769B55000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500517361.000001E76B8E1000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE47000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500517361.000001E76B91C000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE56000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000003.1595410981.00000235CC0FB000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000002.2437192640.00000235CBE98000.00000004.00000020.00020000.00000000.sdmp, is-EQ2P4.tmp.14.dr, is-7GL1G.tmp.14.drfalse
                                                    		high
                                                    http://ccsca2021.ocsp-certum.com05FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007FC6B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000031AF000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1567651536.00000000001ED000.00000004.00000010.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BBE3000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500517361.000001E76B91C000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000002.2437192640.00000235CBE78000.00000004.00000020.00020000.00000000.sdmp, is-EQ2P4.tmp.14.dr, is-7GL1G.tmp.14.drfalse
                                                      		high
                                                      https://FreeFileSync.orgFreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1579518337.0000000002BC6000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 0000000D.00000003.1571573159.0000000002846000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://freefilesync.org/manual.php?topic=external-applicationsParentFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                          		high
                                                          https://freefilesync.org/manual.php?topic=schedule-batch-jobs)is-81S7P.tmp.14.drfalse
                                                            		high
                                                            http://www.certum.pl/CPS0FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007FC6B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000031AF000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1567651536.00000000001ED000.00000004.00000010.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BC30000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500372996.000001E769B55000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BE4B000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BBE3000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500517361.000001E76B8E1000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE47000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500517361.000001E76B91C000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BE5B000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE56000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1491318802.000001E76BE4B000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000003.1595410981.00000235CC0FB000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000002.2437192640.00000235CBE98000.00000004.00000020.00020000.00000000.sdmp, is-EQ2P4.tmp.14.dr, is-7GL1G.tmp.14.drfalse
                                                              		high
                                                              https://freefilesync.org/images/log/FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                		high
                                                                https://freefilesync.org/manual.php?topic=freefilesyncFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                  		high
                                                                  https://freefilesync.org/images/log/file.pngFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                    		high
                                                                    https://freefilesync.org/donateFreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1292924391.00000000030A0000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000A.00000003.1298130882.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 0000000D.00000003.1571573159.00000000027EB000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1562866707.0000000003815000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1561332618.00000000035E6000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1564596485.0000000002609000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.14.drfalse
                                                                      		high
                                                                      https://freefilesync.org/manual.php?topic=daylight-saving-time1FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                        		high
                                                                        https://api.freefilesync.org/latest_changes?https://freefilesync.org/faq.php#donation-editionInvalidFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://repository.certum.pl/ctnca.cer09FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007FC6B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000031AF000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1567651536.00000000001ED000.00000004.00000010.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BC30000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500372996.000001E769B55000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BE4B000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE47000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BE5B000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE56000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1491318802.000001E76BE4B000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000003.1595410981.00000235CC0FB000.00000004.00000020.00020000.00000000.sdmp, is-EQ2P4.tmp.14.dr, is-7GL1G.tmp.14.drfalse
                                                                          		high
                                                                          https://api.freefilesync.org/email_notifystatusokServerFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://freefilesync.org/images/log/email_short_txtemail_short_htmlsync_resultprocessed_itemsprocessFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                            		high
                                                                            http://crl.certum.pl/ctnca.crl0kFreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007FC6B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000031AF000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1567651536.00000000001ED000.00000004.00000010.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BC30000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500372996.000001E769B55000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BE4B000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE47000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BE5B000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE56000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1491318802.000001E76BE4B000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000003.1595410981.00000235CC0FB000.00000004.00000020.00020000.00000000.sdmp, is-EQ2P4.tmp.14.dr, is-7GL1G.tmp.14.drfalse
                                                                              		high
                                                                              https://freefilesync.org/forum1.ActivateFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                		high
                                                                                https://freefilesync.org/images/log/msg-error.pngFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                  		high
                                                                                  https://freefilesync.org/manual.php?topic=versioningMoveFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                    		high
                                                                                    https://www.apache.org/licenses/FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1564596485.0000000002609000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://freefilesync.org/manual.php?topic=macros)is-81S7P.tmp.14.drfalse
                                                                                        		high
                                                                                        https://FreeFileSync.org/manual.php)FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1579518337.0000000002BDC000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 0000000D.00000003.1571573159.000000000285C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://curl.se/docs/alt-svc.htmlFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                            		high
                                                                                            https://www.certum.pl/CPS0FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294739742.000000007FC6B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1294252110.00000000031AF000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1549696366.0000000005040000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1567651536.00000000001ED000.00000004.00000010.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500372996.000001E769B55000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1502650153.000001E76BBE3000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500517361.000001E76B8E1000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE47000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000002.1500517361.000001E76B91C000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1491318802.000001E76BC30000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000013.00000003.1489709037.000001E76BE56000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000003.1595410981.00000235CC0FB000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000002.2437192640.00000235CBE98000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_x64.exe, 00000017.00000002.2437192640.00000235CBE78000.00000004.00000020.00020000.00000000.sdmp, is-EQ2P4.tmp.14.dr, is-7GL1G.tmp.14.drfalse
                                                                                              		high
                                                                                              https://freefilesync.org/manual.php?topic=comparison-settingsHandleFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                		high
                                                                                                https://freefilesync.org/faq.php#donation-editionFreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1292924391.00000000030A0000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000A.00000003.1298130882.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 0000000D.00000003.1571573159.00000000027EB000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1569933140.0000000003A30000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1568512267.000000000054D000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1566581244.0000000000546000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1561332618.00000000035E6000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1564596485.0000000002609000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://freefilesync.org/manual.php?topic=performanceParallelFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                    		high
                                                                                                    https://www.codeproject.com/Articles/1144/Beating-the-Daylight-Savings-Time-bug-and-getting)is-81S7P.tmp.14.drfalse
                                                                                                      		high
                                                                                                      https://FreeFileSync.org/manual.php1FreeFileSync_13.9_Windows_Setup.tmp, 0000000A.00000003.1574858518.0000000002AEC000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1564596485.00000000026C4000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://freefilesync.org/manual.php?topic=comparison-settings)is-81S7P.tmp.14.drfalse
                                                                                                          		high
                                                                                                          http://www.dk-soft.org/FreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1292924391.00000000030A0000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000A.00000003.1298130882.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 0000000D.00000003.1571573159.0000000002743000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1562866707.0000000003832000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://freefilesync.org/manual.php?topic=variable-drive-letters)is-81S7P.tmp.14.drfalse
                                                                                                              		high
                                                                                                              https://freefilesync.org/donateSupportFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                		high
                                                                                                                https://freefilesync.org/manual.php?topic=exclude-filesInclude:LocalFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://freefilesync.org/get_latest.phpos_version64ffs_variantos_namedip_scaleffs_lang32os_archDonatFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://127.0.0.1:FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://freefilesync.org/faq.php#businessFreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1292924391.00000000030A0000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000A.00000003.1298130882.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 0000000D.00000003.1571573159.00000000027EB000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1569933140.0000000003A30000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000002.1568512267.000000000054D000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1566581244.0000000000546000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1561332618.00000000035E6000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1564596485.0000000002609000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://freefilesync.org/images/log/log.pngFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://freefilesync.org/thank-you.php?InvalidFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://api.freefilesync.org/activate_installationvenosdusrmodzadf%231d34kjjfInstall.datosffsRequireFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            https://api.freefilesync.org/latest_changes?FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            https://freefilesync.org/business.php?FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://winmerge.org/)is-81S7P.tmp.14.drfalse
                                                                                                                                		high
                                                                                                                                https://freefilesync.org/manual.php?topic=realtimesyncBrowseIdleis-EQ2P4.tmp.14.drfalse
                                                                                                                                  		high
                                                                                                                                  https://freefilesync.org/manual.php?topic=synchronization-settingsDetectFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://FreeFileSync.orgFhttps://FreeFileSync.org/manual.phpFreeFileSync_13.9_Windows_Setup.exe, 00000009.00000003.1292924391.00000000030A0000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 0000000A.00000003.1298130882.0000000003A00000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    https://freefilesync.org/activate-installation.php?FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://freefilesync.org/thank-you.php?FreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://freefilesync.org/tutorials.php)is-81S7P.tmp.14.drfalse
                                                                                                                                          		high
                                                                                                                                          https://freefilesync.org/images/FreeFileSync.pngFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://fsf.org/FreeFileSync_13.9_Windows_Setup.tmp, 0000000E.00000003.1564596485.0000000002609000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://freefilesync.org/activate-installation.php?FailedFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://freefilesync.org/manual.php?topic=command-line)is-81S7P.tmp.14.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://www.google.com/MultipleFreeFileSync_x64.exe, 00000013.00000000.1470027104.00007FF70C86E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                                                    		high

                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                    Public IPs

                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                    104.21.2.160
                                                                                                                                                    		api.freefilesync.orgUnited States
                                                                                                                                                    		13335CLOUDFLARENETUSfalse

                                                                                                                                                    General Information

                                                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                    Analysis ID:1583314
                                                                                                                                                    Start date and time:2025-01-02 13:14:01 +01:00
                                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                                    Overall analysis duration:0h 6m 18s
                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                    Report type:full
                                                                                                                                                    Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                    Number of analysed new started processes analysed:26
                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                    Number of injected processes analysed:1
                                                                                                                                                    Technologies:
                                                                                                                                                    • EGA enabled
                                                                                                                                                    • AMSI enabled
                                                                                                                                                    Analysis Mode:default
                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                    Sample name:MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip
                                                                                                                                                    Detection:MAL
                                                                                                                                                    Classification:mal52.evad.winZIP@21/73@1/1
                                                                                                                                                    Cookbook Comments:
                                                                                                                                                    • Found application associated with file extension: .zip

                                                                                                                                                    Warnings

                                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, consent.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 20.109.210.53, 20.3.187.198, 52.149.20.212, 184.28.90.27
                                                                                                                                                    • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, fs.microsoft.com, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                    • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                    Simulations

                                                                                                                                                    Behavior and APIs

                                                                                                                                                    TimeTypeDescription
                                                                                                                                                    07:14:41API Interceptor2x Sleep call for process: SIHClient.exe modified
                                                                                                                                                    07:15:02API Interceptor11x Sleep call for process: powershell.exe modified
                                                                                                                                                    07:15:10API Interceptor2x Sleep call for process: FreeFileSync_13.9_Windows_Setup.tmp modified
                                                                                                                                                    07:15:19API Interceptor7x Sleep call for process: FreeFileSync_x64.exe modified

                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                    IPs

                                                                                                                                                    No context

                                                                                                                                                    Domains

                                                                                                                                                    No context

                                                                                                                                                    ASNs

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                    CLOUDFLARENETUShttps://www.ecorfan.org/Get hashmaliciousUnknownBrowse
                                                                                                                                                    • 104.17.24.14
                                                                                                                                                    https://debeeyardelia.pages.devGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 188.114.96.3
                                                                                                                                                    Setup.exe.7zGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 172.64.41.3
                                                                                                                                                    http://www.johnlewis-partnerships.comGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 104.18.43.2
                                                                                                                                                    https://gldkzr-lpqw.buzz/script/ut.js?cb%5C=1735764124690Get hashmaliciousUnknownBrowse
                                                                                                                                                    • 104.21.0.170
                                                                                                                                                    1.ps1Get hashmaliciousCobaltStrike, MetasploitBrowse
                                                                                                                                                    • 104.21.96.1
                                                                                                                                                    random(4).exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                    • 172.67.129.178
                                                                                                                                                    inv#12180.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                    • 172.67.182.198
                                                                                                                                                    dGhlYXB0Z3JvdXA=-free.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 188.114.97.3
                                                                                                                                                    dGhlYXB0Z3JvdXA=-free.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 188.114.97.3

                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                    a0e9f5d64349fb13191bc781f81f42e1Setup.exe.7zGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 104.21.2.160
                                                                                                                                                    176.113.115.170.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.2.160
                                                                                                                                                    ETVk1yP43q.exeGet hashmaliciousAZORultBrowse
                                                                                                                                                    • 104.21.2.160
                                                                                                                                                    UhsjR3ZFTD.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.2.160
                                                                                                                                                    KRNL.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.2.160
                                                                                                                                                    Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.2.160
                                                                                                                                                    SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.2.160
                                                                                                                                                    web44.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.2.160
                                                                                                                                                    Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.2.160
                                                                                                                                                    qnUFsmyxMm.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.2.160
                                                                                                                                                    37f463bf4616ecd445d4a1937da06e19Setup.exe.7zGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 104.21.2.160
                                                                                                                                                    45631.exeGet hashmaliciousNitolBrowse
                                                                                                                                                    • 104.21.2.160
                                                                                                                                                    45631.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 104.21.2.160
                                                                                                                                                    1734098836319.exeGet hashmaliciousBlackMoonBrowse
                                                                                                                                                    • 104.21.2.160
                                                                                                                                                    ETVk1yP43q.exeGet hashmaliciousAZORultBrowse
                                                                                                                                                    • 104.21.2.160
                                                                                                                                                    16oApcahEa.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                                                                    • 104.21.2.160
                                                                                                                                                    6a7e35.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 104.21.2.160
                                                                                                                                                    ipmsg5.6.18_installer.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 104.21.2.160
                                                                                                                                                    OXoeX1Ii3x.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 104.21.2.160
                                                                                                                                                    OXoeX1Ii3x.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 104.21.2.160

                                                                                                                                                    Dropped Files

                                                                                                                                                    No context

                                                                                                                                                    Created / dropped Files

                                                                                                                                                    C:\Program Files\FreeFileSync\Bin\FreeFileSync_Win32.exe (copy)

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):15743600
                                                                                                                                                    Entropy (8bit):6.676478492192778
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:393216:lK+Z2WzDVJMtn6w81osfhZGuOzmo1UPBQba:lK3WzDVJg6ZPfauOmeUC
                                                                                                                                                    MD5:6EAD4B37E3E54E11161907B7A8946F8B
                                                                                                                                                    SHA1:3AFAA2CE6D8662F1EE8841D08C11EB4AEAA851CA
                                                                                                                                                    SHA-256:7DEC5B9507A5EE363CD2BB66D7AED183702FCE29291AEED4B75838126810D9CB
                                                                                                                                                    SHA-512:0650E364110B3F7D8887545E374B7B5D172A188C57E52F847046032C323AE69F9027EFC3EB61D485368319666A15AFD0C27EE683348632F4EFD1DBE15595FECA
                                                                                                                                                    Malicious:false
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.........5w..[$..[$..[$..X%..[$..\%..[$.9.$..[$.9_%..[$.9X%..[$.9^%..[$..^%..[$.._%..[$..]%..[$..Z%..[$..Z$.[$.:_%.[$.:_%.[$.:^%..[$.9R%@.[$.9.$..[$.9Y%..[$Rich..[$................PE..L.....Tg...............*.8...<J.....xH.......P....@.......................................@..................................5...........j..............p(......<....J..T....................K......(...@............P......H0.. ....................text...h6.......8.................. ..`.rdata...'0..P...(0..<..............@..@.data................d..............@....rsrc....j.......l..................@..@.reloc..<............^..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe (copy)

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):17732208
                                                                                                                                                    Entropy (8bit):6.5078627737248596
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:393216:W7ndm7EDXrvLbAu/DziINa8ocKlq7RCKJ:W707EDZ7
                                                                                                                                                    MD5:9C31F370631A40917DF397F40C0772DB
                                                                                                                                                    SHA1:FF7C84DD75DAF2C3B9D44113D8D6303E1F8AC9CB
                                                                                                                                                    SHA-256:022C26BA9B5E3FE6B8B3290B4C4B939D6DD766E425BBD3AD99FBFAE739E911E3
                                                                                                                                                    SHA-512:F6BAA74EBBB713422807C49C5EA31D3A61656E7750AC42F35BF7629D5FCA71BECB4DB1DAC447194DC78B7909ADB357754E291FD0DFCED6D2B9DABB225E0D2C7E
                                                                                                                                                    Malicious:false
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......p.J44.$g4.$g4.$g..'f..$g..#f5.$g%P.g<.$g%P f .$g%P'f:.$g%P!f^.$g..!f..$g.. f..$g.."f5.$g..%f..$g4.%gb.$g.S fk.$g|S f|.$g|S!f_.$g.P-f..$g.P.g5.$g.P&f5.$gRich4.$g........................PE..d.....Tg.........."....*....r[................@.............................`......6.....`.................................................p?.......p...j......,....j..p(......$v..l...T.......................(.......@..............0...t8.. ....................text...I.......................... ..`.rdata..^.@......@................@..@.data...i?.......r...v..............@....pdata..,...........................@..@.rsrc....j...p...l..................@..@.reloc..$v.......x..................@..B........................................................................................................................................................................................

                                                                                                                                                    C:\Program Files\FreeFileSync\Bin\RealTimeSync_Win32.exe (copy)

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):7277680
                                                                                                                                                    Entropy (8bit):6.6027141847884945
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:196608:F3cuVDkD08cv6+JFLUdKreojYmI+v+i/FZBTa:BVJfv6+PT/LI+2KFm
                                                                                                                                                    MD5:51DDC8386A8E2038D5B161A827518334
                                                                                                                                                    SHA1:0DF90D95CB4896DE91AC89390B73FA496E2684A5
                                                                                                                                                    SHA-256:2F5873807C4260C7A30DB0BB87AA59D36D755E9E5041B10C4302AE3B28E6E0D9
                                                                                                                                                    SHA-512:BFDF7F83B2D098CC75FA3F48079556ADB8400BD858FBC4AAF4E65ED088E3E73723BF06732EA93E74EDEA60D188F0A27321AB57032DB365488A06D23EA50D3B78
                                                                                                                                                    Malicious:false
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........k.q...q...q.......q......tq.......q.......q.......q.......q.......q.......q...q..cs.......q.......p..-....q..-....q..-....q..Rich.q..........................PE..L.....Tg...............*..L...&.....sl=...... L...@..........................@r.......o...@...................................d.......i...............n.p(....k..F..Ht].T....................t]......s].@............ L..............................text.....L.......L................. ..`.rdata....... L.......L.............@..@.data...p.... e.......e.............@....rsrc.........i.......f.............@..@.reloc...F....k..H....h.............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Program Files\FreeFileSync\Bin\RealTimeSync_x64.exe (copy)

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):7765104
                                                                                                                                                    Entropy (8bit):6.495639480068131
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:196608:5iL+17hE7wVd3kpdwnnziRUXP2Ry9sLIBa:AL+17hE7wVd3kD
                                                                                                                                                    MD5:730CE133466E06C8E7A3089053A53979
                                                                                                                                                    SHA1:5BD7C9513C81E3B1F86BF9D008CD2D9684867476
                                                                                                                                                    SHA-256:D5BA33ACDC6316E3BFDC0085D7BC5C60EA69F56BC9AD0A9B6115B279D6EA3B14
                                                                                                                                                    SHA-512:4F58EE5745168314D046B2EF84C45D153C29C1FBB04BE884A5EC77D8DB6D8C48FA9BA701B461BA961C784B8535A2564402FC6F2B8FA0E380D1611994074CE333
                                                                                                                                                    Malicious:false
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........d..............}......}..1..................................}......}......}..........3................h.......h.......h.......Rich............................PE..d.....Tg.........."....*.`M..j,.......A........@..............................y.....Q_w...`.................................................t+m.......u.......r.\....Tv.p(....x.T.....b.T.....................b.(...@.b.@............pM.p............................text....^M......`M................. ..`.rdata..`....pM......dM.............@..@.data...|n...pm......bm.............@....pdata..\.....r......Xo.............@..@.rsrc.........u......dr.............@..@.reloc..T.....x......|t.............@..B........................................................................................................................................................................................................

                                                                                                                                                    C:\Program Files\FreeFileSync\Bin\is-7GL1G.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):7765104
                                                                                                                                                    Entropy (8bit):6.495639480068131
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:196608:5iL+17hE7wVd3kpdwnnziRUXP2Ry9sLIBa:AL+17hE7wVd3kD
                                                                                                                                                    MD5:730CE133466E06C8E7A3089053A53979
                                                                                                                                                    SHA1:5BD7C9513C81E3B1F86BF9D008CD2D9684867476
                                                                                                                                                    SHA-256:D5BA33ACDC6316E3BFDC0085D7BC5C60EA69F56BC9AD0A9B6115B279D6EA3B14
                                                                                                                                                    SHA-512:4F58EE5745168314D046B2EF84C45D153C29C1FBB04BE884A5EC77D8DB6D8C48FA9BA701B461BA961C784B8535A2564402FC6F2B8FA0E380D1611994074CE333
                                                                                                                                                    Malicious:false
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........d..............}......}..1..................................}......}......}..........3................h.......h.......h.......Rich............................PE..d.....Tg.........."....*.`M..j,.......A........@..............................y.....Q_w...`.................................................t+m.......u.......r.\....Tv.p(....x.T.....b.T.....................b.(...@.b.@............pM.p............................text....^M......`M................. ..`.rdata..`....pM......dM.............@..@.data...|n...pm......bm.............@....pdata..\.....r......Xo.............@..@.rsrc.........u......dr.............@..@.reloc..T.....x......|t.............@..B........................................................................................................................................................................................................

                                                                                                                                                    C:\Program Files\FreeFileSync\Bin\is-EQ2P4.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):7277680
                                                                                                                                                    Entropy (8bit):6.6027141847884945
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:196608:F3cuVDkD08cv6+JFLUdKreojYmI+v+i/FZBTa:BVJfv6+PT/LI+2KFm
                                                                                                                                                    MD5:51DDC8386A8E2038D5B161A827518334
                                                                                                                                                    SHA1:0DF90D95CB4896DE91AC89390B73FA496E2684A5
                                                                                                                                                    SHA-256:2F5873807C4260C7A30DB0BB87AA59D36D755E9E5041B10C4302AE3B28E6E0D9
                                                                                                                                                    SHA-512:BFDF7F83B2D098CC75FA3F48079556ADB8400BD858FBC4AAF4E65ED088E3E73723BF06732EA93E74EDEA60D188F0A27321AB57032DB365488A06D23EA50D3B78
                                                                                                                                                    Malicious:false
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........k.q...q...q.......q......tq.......q.......q.......q.......q.......q.......q...q..cs.......q.......p..-....q..-....q..-....q..Rich.q..........................PE..L.....Tg...............*..L...&.....sl=...... L...@..........................@r.......o...@...................................d.......i...............n.p(....k..F..Ht].T....................t]......s].@............ L..............................text.....L.......L................. ..`.rdata....... L.......L.............@..@.data...p.... e.......e.............@....rsrc.........i.......f.............@..@.reloc...F....k..H....h.............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Program Files\FreeFileSync\Bin\is-MAE6G.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):17732208
                                                                                                                                                    Entropy (8bit):6.5078627737248596
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:393216:W7ndm7EDXrvLbAu/DziINa8ocKlq7RCKJ:W707EDZ7
                                                                                                                                                    MD5:9C31F370631A40917DF397F40C0772DB
                                                                                                                                                    SHA1:FF7C84DD75DAF2C3B9D44113D8D6303E1F8AC9CB
                                                                                                                                                    SHA-256:022C26BA9B5E3FE6B8B3290B4C4B939D6DD766E425BBD3AD99FBFAE739E911E3
                                                                                                                                                    SHA-512:F6BAA74EBBB713422807C49C5EA31D3A61656E7750AC42F35BF7629D5FCA71BECB4DB1DAC447194DC78B7909ADB357754E291FD0DFCED6D2B9DABB225E0D2C7E
                                                                                                                                                    Malicious:false
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......p.J44.$g4.$g4.$g..'f..$g..#f5.$g%P.g<.$g%P f .$g%P'f:.$g%P!f^.$g..!f..$g.. f..$g.."f5.$g..%f..$g4.%gb.$g.S fk.$g|S f|.$g|S!f_.$g.P-f..$g.P.g5.$g.P&f5.$gRich4.$g........................PE..d.....Tg.........."....*....r[................@.............................`......6.....`.................................................p?.......p...j......,....j..p(......$v..l...T.......................(.......@..............0...t8.. ....................text...I.......................... ..`.rdata..^.@......@................@..@.data...i?.......r...v..............@....pdata..,...........................@..@.rsrc....j...p...l..................@..@.reloc..$v.......x..................@..B........................................................................................................................................................................................

                                                                                                                                                    C:\Program Files\FreeFileSync\Bin\is-PP537.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):15743600
                                                                                                                                                    Entropy (8bit):6.676478492192778
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:393216:lK+Z2WzDVJMtn6w81osfhZGuOzmo1UPBQba:lK3WzDVJg6ZPfauOmeUC
                                                                                                                                                    MD5:6EAD4B37E3E54E11161907B7A8946F8B
                                                                                                                                                    SHA1:3AFAA2CE6D8662F1EE8841D08C11EB4AEAA851CA
                                                                                                                                                    SHA-256:7DEC5B9507A5EE363CD2BB66D7AED183702FCE29291AEED4B75838126810D9CB
                                                                                                                                                    SHA-512:0650E364110B3F7D8887545E374B7B5D172A188C57E52F847046032C323AE69F9027EFC3EB61D485368319666A15AFD0C27EE683348632F4EFD1DBE15595FECA
                                                                                                                                                    Malicious:false
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.........5w..[$..[$..[$..X%..[$..\%..[$.9.$..[$.9_%..[$.9X%..[$.9^%..[$..^%..[$.._%..[$..]%..[$..Z%..[$..Z$.[$.:_%.[$.:_%.[$.:^%..[$.9R%@.[$.9.$..[$.9Y%..[$Rich..[$................PE..L.....Tg...............*.8...<J.....xH.......P....@.......................................@..................................5...........j..............p(......<....J..T....................K......(...@............P......H0.. ....................text...h6.......8.................. ..`.rdata...'0..P...(0..<..............@..@.data................d..............@....rsrc....j.......l..................@..@.reloc..<............^..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Program Files\FreeFileSync\Changelog.txt (copy)

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):147223
                                                                                                                                                    Entropy (8bit):4.884422991548549
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3072:njjdQgWoXi9Wpsy8tLd3oXU91w28OvY+KlAd7J:TTmy2oks+KAd7J
                                                                                                                                                    MD5:6E6DBAD61ECC2B74C8150A227CD51FB5
                                                                                                                                                    SHA1:746924D5F98F9B4428A17CE36FA02B0459E9BC09
                                                                                                                                                    SHA-256:CF47B6710F5ADD5EB9BF4A4455507A123E17BE212D64A266ED57E1539ACB3EBB
                                                                                                                                                    SHA-512:A95B93CB659282B978271389681C63964DD85E3E21F42C678A6932E1073D8BBB7A1269898C4CA3FB7017A8FE7496CB11B4A54F043D5C6FC1FB33F2C675C42646
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:FreeFileSync 13.9 [2024-12-07]..------------------------------..Fixed CURLE_SEND_ERROR: OpenSSL SSL_write: SSL_ERROR_SYSCALL, errno 0..Added comparison and sync context menu options for multiple folder pairs..Show file include/exclude filter directly in tooltip..Fixed file not found error when cancelling file up-/download..Fixed showing cancelled config log status after nothing to sync..Updated translation files......FreeFileSync 13.8 [2024-11-04]..------------------------------..Support raw IPv6 server address for (S)FTP..RealTimeSync: Fixed scrollbar when adding/removing folders..Don't set sync direction for partial folder pairs..Uniquely identify partial folder pairs in error message..Fixed network login prompt not showing in Windows 11 24H2......FreeFileSync 13.7 [2024-06-23]..------------------------------..Support copying symlinks between SFTP devices..Fixed input focus not being restored after comparison/sync..Fixed log file pruning not considering selected configuration..Show s

                                                                                                                                                    C:\Program Files\FreeFileSync\FreeFileSync.exe (copy)

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):676464
                                                                                                                                                    Entropy (8bit):6.18963251148129
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12288:e+LGHv4E3fx+XjXh0vdb514ocPAwYf7krBl:e+Lov42x+X6lb51+ifwrL
                                                                                                                                                    MD5:DD8779C4A9D2F47F3C9279F6F7786E69
                                                                                                                                                    SHA1:6E288BE940E0035DDD3240537EDEEE3991A665A4
                                                                                                                                                    SHA-256:919322547B2E2D19BED839B8889A204A3E34742648736E2114F565751FD32351
                                                                                                                                                    SHA-512:4D710A8D95C7CFFC786743E0DA26D5A1B7CB4C9407EDD789EFA390BB2BA4A1CE670E98484E75BEFBBAF3367CE81B007CD3395F9B4F8ED2900FA086CEA7C995EC
                                                                                                                                                    Malicious:false
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........|.c/.c/.c/..`..c/..f.C.c/..`...c/..g...c/..f...c/..g...c/..e..c/..b...c/.b/..c/o.j..c/o../.c/o.a..c/Rich.c/................PE..L.....Tg...............*.D...2......c........`....@.................................A.....@..................................}...........j...........*..p(...p...1...3..T....................3......P2..@............`..T............................text...jB.......D.................. ..`.rdata...,...`.......H..............@..@.data....e...........v..............@....rsrc....j.......l..................@..@.reloc...1...p...2..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Program Files\FreeFileSync\Install.dat (copy)

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):22
                                                                                                                                                    Entropy (8bit):4.459431618637295
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:aI:aI
                                                                                                                                                    MD5:C810DE60BF6CA1BE2501318BD584C3C3
                                                                                                                                                    SHA1:95583218CE67FF1702C723EC230A07B26F6A6DA0
                                                                                                                                                    SHA-256:CAEA72923531102B93E1EACDB25568C4228E138FBCF2D7F31EE65F0A4E00EE5D
                                                                                                                                                    SHA-512:035E56E3F7AE4CD62D5C0A746041803EC0B8F8F181FB35F19AE86D9C4848ED730CAF0A03B2AFA0E1304E21B43B82E62A96E0CA52EEBB692D3253CA4B3BD15474
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:Z....c.,.......1..a.^

                                                                                                                                                    C:\Program Files\FreeFileSync\Install.dat.8c16.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):22
                                                                                                                                                    Entropy (8bit):4.459431618637295
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:aI:aI
                                                                                                                                                    MD5:C810DE60BF6CA1BE2501318BD584C3C3
                                                                                                                                                    SHA1:95583218CE67FF1702C723EC230A07B26F6A6DA0
                                                                                                                                                    SHA-256:CAEA72923531102B93E1EACDB25568C4228E138FBCF2D7F31EE65F0A4E00EE5D
                                                                                                                                                    SHA-512:035E56E3F7AE4CD62D5C0A746041803EC0B8F8F181FB35F19AE86D9C4848ED730CAF0A03B2AFA0E1304E21B43B82E62A96E0CA52EEBB692D3253CA4B3BD15474
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:Z....c.,.......1..a.^

                                                                                                                                                    C:\Program Files\FreeFileSync\Install.dat.b7f2.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):30
                                                                                                                                                    Entropy (8bit):4.773557262275186
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:aYVZSN1:aYVsN1
                                                                                                                                                    MD5:9D89061609EE619DDF7BA40BEBA648CA
                                                                                                                                                    SHA1:F894610CDA749E7408A05FD41EDD1A06555295DE
                                                                                                                                                    SHA-256:E3B3879A04AB4A735D53A14E81D9CADAFEE1BD869F84F19E0BEDAEA5251C08F4
                                                                                                                                                    SHA-512:2BDD8A10EB6A1935BC81DB21155E8383DFD3A938ABEFB842B418F10BDF966C41E0888A9C0C55BD50EE0B5F2226C8837916285AB68EE888D9E146B6618F5A4ECD
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:Z...-.~.l....'.X..E.A.w(...

                                                                                                                                                    C:\Program Files\FreeFileSync\License.rtf (copy)

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:Rich Text Format data, version 1, ANSI, code page 1252
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):52941
                                                                                                                                                    Entropy (8bit):4.834889561469989
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:768:4IwnwOuD+WlljeKquwIx0i5D/e1iHdTcoPhpkYp/T/FXOx0Bpm3APzB4D:j1OuljeMr5DGwxUETy0Bpm3Al4D
                                                                                                                                                    MD5:EE9B7FD879D57A35B5F0F575A1755F71
                                                                                                                                                    SHA1:D3CA973EAA0EC74845E2E7851A6837AE08906E67
                                                                                                                                                    SHA-256:ADC61454C4F9DA3C500501D33E2949EC5B0B857C57B3CF2FD172FBFF2BF76CDB
                                                                                                                                                    SHA-512:D32DBF8B3AB9155F008F1283D4F37225E8B66A71F3E58BC1FED566EA8FC3618773DD73A677C772BE0EA4854D75264A8765EB0A3C480418A73060ED93D4B502CF
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deftab709{\fonttbl{\f0\fswiss\fprq2\fcharset0 Segoe UI;}}..{\colortbl ;\red0\green0\blue255;\red0\green0\blue128;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\nowidctlpar\hyphpar0\qc\kerning1\f0\fs26\lang1031 FreeFileSync: Terms of Use\par....\pard\nowidctlpar\hyphpar0\fs22\par..The FreeFileSync standard and {{\field{\*\fldinst{HYPERLINK "https://freefilesync.org/faq.php#donation-edition" }}{\fldrslt{\ul\cf1\cf2\ul Donation\~Edition}}}}\f0\fs22 are for \b private\~use\b0 only.\par..\b\fs11\par..\fs22 Commercial use\b0 requires buying\b \b0 the {{\field{\*\fldinst{HYPERLINK "https://freefilesync.org/faq.php#business" }}{\fldrslt{\ul\cf1\cf2\ul FreeFileSync\~Business\~Edition}}}}\f0\fs22 . This also applies to government organizations.\par....\pard\nowidctlpar\hyphpar0\qc _____________________________________________________________\par....\pard\nowidctlpar\hyphpar0\par..A. GNU General Public License\par..B. wxWidgets License\par

                                                                                                                                                    C:\Program Files\FreeFileSync\RealTimeSync.exe (copy)

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):390256
                                                                                                                                                    Entropy (8bit):6.134884165717768
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:6144:B5EBllbJaaRqWCMjtIj2UpComPU8kmz7ia0oQhX:BiBllVfRqWCMYQUzeNLQh
                                                                                                                                                    MD5:93B8B77BAE7AF0FA64E9F59F8C15351E
                                                                                                                                                    SHA1:A01661073A1E0BB9EC697645EA2F5D36DDD66530
                                                                                                                                                    SHA-256:F4D1BBDBB75ED4017ADCEF6295DB223D5B633B9AFD88FD016E86434EDB97A262
                                                                                                                                                    SHA-512:FA804AA8E41647330512F00BDFA70BC6020C6CDC1AF24C2788D65CE7BD495B7007C9D4B119C9CBE571BF9089CF5843A5118690ED3956A2684403638251473D51
                                                                                                                                                    Malicious:false
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........$b..E...E...E...=...E...=..AE...=...E.......E.......E.......E...=...E...=...E...E.. E..l....E..l...E..l....E..Rich.E..................PE..L.....Tg...............*..........................@..........................P...........@....................................P.......................p(... ...%...d..T....................d......Xc..@............................................text...$........................... ..`.rdata..b...........................@..@.data....^...........~..............@....rsrc...............................@..@.reloc...%... ...&..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Program Files\FreeFileSync\Resources\Animal.dat

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:JPEG image data, JFIF standard 1.02, resolution (DPCM), density 78x78, segment length 16, progressive, precision 8, 640x338, components 3
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):43986
                                                                                                                                                    Entropy (8bit):7.9774801317201804
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:768:s8akP/txfqiYo1xhe+Y4Sp2jb12C6MVlYRvrcT75UZH/jviObXv0Gu00E0kLS:sdAlFqiPSc12CqyN2fjvigdg
                                                                                                                                                    MD5:48AA26969F9384BD81C4723EA00E99A7
                                                                                                                                                    SHA1:1732956BB71FB52C79A5DFCCB6223BC1FB9A36CE
                                                                                                                                                    SHA-256:30D9864AFB4E0545D54C4F06F983F179EE6907F272B2598DBDEC2B26A90E3911
                                                                                                                                                    SHA-512:C832DC627344C931A439018F13675D97925A59647AB4E84558507246926F2701583BB0C014800F0EA68B0421A8707CB244A730000FFA5435E399FE7883DE7D4E
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:......JFIF.....N.N.....C....................................................................C.......................................................................R..........................................................................................9..:.V..Q.F.;A.....Vg6#"#;8RP>jG....pC ..7%...BRX.b.0...Kl...`.......9...#....`.6,..%#H...e..O...!..y...Z..../]..R.n....I".+:b..eV.R8%.......G........$...A]............X....!...J.......,....6,$.I..5-.b.G...-.y};.9....k%...,.u.....$$..IEu*H@.AIy>.O.=..^..iE,..0.....!\.5.....`.....2.#.r$F..Q!.!..b.d...JM.2i.LH...........9F.E./)..4WEJ.-.a...#.,@%!R...}w>..D..+...e4.1.2..@ .`..lX,`.6..b8n..I...G#..C...b..3...$.#H.!...@...y...*.Qw..*.S7...K.Wi.n.8...F.%ZUyB/?..|...."I.....#..m..#<.8...H,`.6......i.9..A$JI9JQ....9..`.....$.(.h.."G..]0o/..T.Kx...M..Qi..>.[.."..00RU%Q.Py....[...V......G.Ac..kL..r....b.`4.0......H.!.%.(..(..@HC...,....Q$@I.R.........F..hc.9..T...u...V.0F..6..WK:g:&..{{5.M..'...TlMeK.?.q.......F.....#.....R.. .!

                                                                                                                                                    C:\Program Files\FreeFileSync\Resources\Icons.zip (copy)

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:Zip archive data, at least v1.0 to extract, compression method=store
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):351747
                                                                                                                                                    Entropy (8bit):7.899316585167089
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:6144:CAQnMm4AzR2iT0BeyMcEMHeBs/bhkS/vQQbOY+LX8d3pukVMQyP:CNX0iIBeyf+Bsdkg4yymuhfP
                                                                                                                                                    MD5:EB2B74B48971C9EE1F8739C047AEC356
                                                                                                                                                    SHA1:11B2576621F710513B34CCEDC33E86C6DBBE82BF
                                                                                                                                                    SHA-256:BD77639AE7610479AC31B66534A5AB8B84A3497DFC9DD2007FED40A565E0E7E8
                                                                                                                                                    SHA-512:D49E6F4F88C700BA6C821B8D20D1745EA456362675E8253307B8CC5B0467AE8506E53DFADDA4A4E1F7FD8D8F4DB0BBA369E4DCB194D3EDAA03A1058F76E4635C
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:PK........y..V................about.png.PNG........IHDR... ... .....szz.....tIME.....+2...%....pHYs...#...#.x.?v....gAMA......a.....IDATx...XTW../]1&k,.$&F,.((F.5.P. ....C..3 ...v...Q....m..A...!.A1.V..Q......!Fe....~.{.....=...!.... .W.G'..7.G.<Z.&..-Uy...e....Dg.)......#.OP....u.,^...H...9.K....J~x....].G.`.{.V|]s.i.-]k...;k.m.N.$..........H..^I..;N.E.4c...".o"8.........A.u...D@.u......"s..7..O^.}i........\....]..E.........d6.y..p.8f\...~.e.mo.-e.7..i..x.....n[E....2y.._2.+Sh.Dl..P.=..dbM..v...`.~.V__....n;..wu....X.v..(....4..KS.a......X./m....S...j@&K.t...k.S...M.,.j.....*.x..<...q...<~.....q..*._.a.....,.;.9..k..d.9._..I.c..M.ry.Z.....*..5...{.X....a~..f....t....x....C'.0;.{|..3C.8.a.|..).1.o..~a...4...0..).Ib.f....ST..[.._....x......Zw.3.y...^.$....#..>*:....d........n.....p....G.G0j.i..........MtL\....by..V...Z....e.H[..k $B>c....3WW.Hv............>.<h.....L.9.i.J.C)..c..$...6.o.%.q.....+..6....*.....!..~.?......A.AL.d...1..

                                                                                                                                                    C:\Program Files\FreeFileSync\Resources\Languages.zip (copy)

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):524890
                                                                                                                                                    Entropy (8bit):7.998477275593787
                                                                                                                                                    Encrypted:true
                                                                                                                                                    SSDEEP:12288:tHWwVw5n/cZGaKwH3OPaLBu5dTz/QoFk3mTiJYEyRLrO0NOwbVFEL:t2wVw5n63KwHeSLBurtC1a2sDQ
                                                                                                                                                    MD5:49DF22A8504B30AC0E66D0A8521BEFF2
                                                                                                                                                    SHA1:2ACDA03760A6EC4D1196197CF83A61FBB8965952
                                                                                                                                                    SHA-256:AF05178F06ECD3F8E8235DE53A91AAE011D75E6F78772B700D7C6B40D5B60479
                                                                                                                                                    SHA-512:EAFD5C5DCE9CF45B5DDA23DF702E73F60FDF6DBD163103D17C6D96179F70327896642EE89E071E6980308F0E5E60964F056D2DF86C0F5689BD35B1D0BCC8522C
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:PK.........}uY...!zF...T......bulgarian.lng.]_o.Gr.>.....D.@\E. ...c[....8...h...........'.:.....F..l'.`..+....3.(]U.3=..3.. @.......U..Uu.....7z...~..`/.{.....?.....$...e...~.../~..'~....]..}...{<.xy...?.i.l...8..x...[,`......b...=.$.A..$.....~.y...w....q.F}..wx.....o..l.w....x[.=7yS<a..l....9.&,...e...l.....d..evI....G.4p.Gn?q..{_.,.e.O8..1.p.2(.0......L.9.. .....(.x....~8.w.?.-...I.......-.O..:...]Wa.....<..E]..Fn4..X.u.z...`..^~,...Z.G..0.k.M.?..8X....t4.#X..79p.9....A..w..Q...43.#.JHuB.,@.G(...,;........-.s.?V+.)>.5,0.........?.X.*...../.6.F..j......q..ks1.,......L.z.d...N..3..V..4........U.....t......g.....9..R.;.u.. ....q..../...p..7..q}.f...p...*..<J;I.6..8.Y6..{...8.&<n.q...t<X.0.9-F.,.....Gc...;..........B.t...S.IOq...M.Gh....T`.`k...i.{..3/..4.._....yL..e.dF.ff3............7.17...Y.?.b..3.......%(..C&..{f.......h..I...C.'k..~.....AxP..M.;.`.2b....B....v.}!.n.a.'.hw\..G..7d....S.[....TD..r.1...wWlw=xp..s..[-.E....=UA.M...k.z.-..

                                                                                                                                                    C:\Program Files\FreeFileSync\Resources\bell.wav (copy)

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):102500
                                                                                                                                                    Entropy (8bit):6.555433845117635
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:DZbfe8QjDm2KS6RZD1FKtHNXM7g4dCJulvE7+O3zTPDOcxuVyyqqLYET7GLpQM8f:DVf2h6RVSmdE0xO3Hb9uMdVLJA
                                                                                                                                                    MD5:39A54BA919BA15551573DB2D39BA7440
                                                                                                                                                    SHA1:E595DA7379327C5AFABCE031B75C6573D0A0206A
                                                                                                                                                    SHA-256:F7EBAF259755C2F7DDBFE48E0D5351EDA8DC974C1C7A954D25EBE97BBF1CEF4A
                                                                                                                                                    SHA-512:15BF3DBFC055C27AD5AEA4C34874A850A9C97AB24C12E3C2428AC9A7C683E221FF2CA7C6283493272D7B37FA541F4EBC564316186CBDEC8F5F193EA3E3B7915E
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:RIFF\...WAVEfmt ........D....X......data8...r...!...........j.+...'...=...9.X.0...N...C...R.......+............./...6.l.J...f...........;.5...U.U.......t.....Z.=...B.........9...j...@.>.......1.....W.a.....C.........................1.......+.....0.............................7...4.I...........a.....f.............P...............+.V.2...p.|... ...{.....C.X.<.....N.....^.............].....N........x...........{.........3.............{.....D...{..._.).x./...;.o.Z..... ...`.<.............5.............3.......;.....$...X..X...,...j...O.?.....W...2...o.w.!...%...m.:.y...-.&...G.....................f.|.....\.|.s.....=...........;.O.......d...n...c.$...p...S...............(.............%.................^."...t.g.c.q.........r...9.........................Q.2.....?.Y...$.l...W.......*.....s.....D.....A.....B.H.U.M...|...d.N...b...........7.......'...}.d.......h.......(. .x.....L.Z.q...`...+..I...@.....T.p.z.......9...E...r.G.U.x.y.................7...Q.......#...h...........5...@...Q....._.

                                                                                                                                                    C:\Program Files\FreeFileSync\Resources\bell2.wav (copy)

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):87678
                                                                                                                                                    Entropy (8bit):6.600950279412908
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:MihVUU7j10GvDy2s65epfQ3XR7xTv7sHb+SAAVOhYmfE5RpX0+j6q2AcXe4Ldpq8:7UU7j6GjXDpEZAAVhD0+j6ve4hpq8
                                                                                                                                                    MD5:00E641ECF71AAFBEDF54F6D948CA8B58
                                                                                                                                                    SHA1:D235AB2E36BBD4974D6628FAAB9622A4D77F9328
                                                                                                                                                    SHA-256:0D670F271DBC8DDD1F8ADD6C01CDAD1678E8D968A38482A09B69AF2A4E12C3C2
                                                                                                                                                    SHA-512:AED88A9E8D1611C79F92AD19E5F6C5B0BD67BE9D9A72D62FFE7F99E8BD5FAEC98823EBCF245C88B8E14FCCDFED203532165D36D9DDAABC12303CF043C01D8E84
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:RIFFvV..WAVEfmt ........D....X......dataRV......................4.z.1.U.&.........x...w.......e.F.N...{...$...,.....i.2.......!.~.0...,.....H.I.Q.................*.1...............U.D.....v.g.....0...........V.X.o.j.2.Z.d.1. .........(.P...[.?....................K.-............[.......+...............w...@...N...8.....i.....".....+...N...........F.......%.....N.......E.......=.................T...'.7.U.i...>.j.........!.....M.,...:.........,...Q.......H...&...a...l...............C.......a.........,...e...+...@.0./...".a.&.....1.i...%.........7.......W.....[.,.A...`...>.....V.(.....9.(.;.(...v... ./.S.....#.........P.....(...L.....F.Q.....m...~.......`.......Q.7.1...N.....g.U.....4.................F.S.#.....0.`...*...............R...:.......<...j.............$.E.W.....~...r.P.......N...,.............%.L.....@...H...p.........0..."...L.......|.....#.;...W.....j.:...G.................U.?.....].........R.1.............}.......:.........6.k...P...r.....;...............u.K... .9.....?.

                                                                                                                                                    C:\Program Files\FreeFileSync\Resources\cacert.pem (copy)

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:Unicode text, UTF-8 text
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):236849
                                                                                                                                                    Entropy (8bit):6.003001911190803
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:6144:ecRqlx9NFqI6FdZL52dTOgSQh1hV1A9W2u2x:ecCnd6fZL5mO41hXA9Wkx
                                                                                                                                                    MD5:92C13373D7DBE43BDC167479274A43E2
                                                                                                                                                    SHA1:B0A93C92A2358CD0D9E9D202B6D60B69DF9DAB0B
                                                                                                                                                    SHA-256:BB1782D281FE60D4A2DCF41BC229ABE3E46C280212597D4ABCC25BDDF667739B
                                                                                                                                                    SHA-512:26C6FA1AC7BCFD523F9AB9E6C2D971103CCFC610AD0DF504D4E9B064DAD74576D77240C052B808F4C37C9240302A7E973A20F79EE39AC7BF3201A6FA9F0DFA96
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:##.## Bundle of CA Root Certificates.##.## Certificate data from Mozilla as of: Tue Nov 26 13:58:25 2024 GMT.##.## Find updated versions here: https://curl.se/docs/caextract.html.##.## This is a bundle of X.509 certificates of public Certificate Authorities.## (CA). These were automatically extracted from Mozilla's root certificates.## file (certdata.txt). This file can be found in the mozilla source tree:.## https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt.##.## It contains the certificates in PEM format and therefore.## can be directly used with curl / libcurl / php_curl, or with.## an Apache+mod_ssl webserver for SSL client authentication..## Just configure this file as the SSLCACertificateFile..##.## Conversion done with mk-ca-bundle.pl version 1.29..## SHA256: 36105b01631f9fc03b1eca779b44a30a1a5890b9bf8dc07ccb001a07301e01cf.##...GlobalSign Root CA.==================.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAA

                                                                                                                                                    C:\Program Files\FreeFileSync\Resources\ding.wav (copy)

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):67340
                                                                                                                                                    Entropy (8bit):6.249655199455427
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:8Jcv03vs0BhTFiC7v+CZ7lISS1Q02NVfto7tZ/rGLBTLfI:8CE5jFisv+CDIfiZq7fjt
                                                                                                                                                    MD5:C13B4139D1E32DCABDB8EEE9E699053D
                                                                                                                                                    SHA1:2932FD23C0E67A4E63CC720E8DCC094041B1E511
                                                                                                                                                    SHA-256:D6B7B4D6E7A38E58484FED53BDBB27C0D0097A58E6289BC5C06267C6B2C8D06A
                                                                                                                                                    SHA-512:0F00B8A6C530F3C05089BC403C2E118D5653E17F19FB1020A2B42BE66289F62EC5E39165AB1DF55C09FFC9E39A57471EB140DBE978CB6EC918A2DEAB7EB4CB66
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:RIFF....WAVEfmt ........D....X......data......#.j...............f.J._.......#.U.......t.......,...].....7.......M.......K...*.../...w.2...J.....e.|.p.C.......L...=.......B...........Q.~...6...../.U...............W.:.`...........&.;.%.&."...c...-.Q.....Z.4...Q.(.....?.v...J.s.B.r...............q.......l.i...9.p.U.......#..4.X.=.q.H.........G.............;.......k.....'...k...............B.a.O.1.~.........Y...........t.M...h._.]...P.....O...3.....=.0.........X.....(.....p.>...s.....x...f.5.I...x...............b.......&...j.......C...........<.z.!...6.......F..._.L...........P...g.....y.4.....0...g.h.^.....;.....Y.#..C.+..............k...........v.......9.c.,...x.....E.$.....e.....e......*.........D.....p.....=.................N.j.......I...E...].=......^.t.m........*.....x...........d.*.=............. .n.....[.......U.^.I.....<.|.......&.%.....].D.....]...q.....}...........V.K.x.......#.2.....o.........u.'...L...^.Y.6.9...b.X.........................>...............^...8.......

                                                                                                                                                    C:\Program Files\FreeFileSync\Resources\fail.wav (copy)

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):35092
                                                                                                                                                    Entropy (8bit):7.05611679728137
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:768:89J1rqJ2HjTExdYblpk7epJoAJ/Sc6CdbzCpOAXdGHb:CqJ2H/bl6NAJ6c6qlAXdub
                                                                                                                                                    MD5:8E77A356049413423D4B090EADAC4BA9
                                                                                                                                                    SHA1:989854EC030D81E7CBA8441DDB9DD1BF1AED7C87
                                                                                                                                                    SHA-256:7409AC35B27BA3D05326045F43EE2346679BE37A0CDA4333BFD6BB28E5C0595D
                                                                                                                                                    SHA-512:68DD934734A3153AB14F6C06FAB6CC84F9E4BA2D3FA19F2A651A0E83BBDD77438E472836FE762BCE1AC2904D7C8B613714878CB7FFB8360C6DAA1422E34EE00F
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:RIFF....WAVEfmt ........D....X......data.....................................&.7.8...........<.&................................................. ...............................?.).........................-.2...4.s...........M...'.:...T.Q...............7...I...K.......^...j.....=.......'.........k.b...........-...@.,.U...*.....>.............t.r.>....+.....o.....l.......;.......M.+.V.............+...t.)._.x.......U...e.......:...................d.\...y.............0.(.......\.I...S.........f.S.......[...<.....r.~.Q...!.).........G...........@...S.p.......O.r......!....b...............K.............c.g...v...I.l.....P.Y...........\.....9.........w.d.4.......l.H.G.........~.\.......+.............P.............<...R.@.B...o.x...+.\.o.l.:.#.>._.O.3.......g.....C.].0.....o...!.|.........6.....G.....[.K...f...j.....m.}..... .H.......\.......f.Y.8..................(.^.(.........K.........x...A.1...8.....Q...x.6...............U.$.......].R.........,.g...L.W.............#.;...r.N.~.#.v.

                                                                                                                                                    C:\Program Files\FreeFileSync\Resources\fail2.wav (copy)

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 24000 Hz
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):50454
                                                                                                                                                    Entropy (8bit):7.132841508547479
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:768:XR8h/Ashig01KTPg+tZXhbLkxmXwvBy4QfSuR37v5qzQRYG/gIez:Xfs0zkjft3fkxmOI4Q6uF7v5qzeJgIez
                                                                                                                                                    MD5:18BBD6A2A31120E65FBB59909674D339
                                                                                                                                                    SHA1:2DE3DFC75C04B3C38538F448C13B9C6529676A3D
                                                                                                                                                    SHA-256:2AC1CEF32CC5A514375AEF53D82B84F5BF7F5463520DA497C3DFCD41FFD0DCDA
                                                                                                                                                    SHA-512:AE1F60E8AB60A11F1E118F3951480D167A41076ED506913CCD67EE9A6255D41AC5A1E173265E30B8954937903BD028A3147F8F69845D2D18FB21F0562E9CD7F3
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:RIFF....WAVEfmt .........]..........data........................................................................................................................................................................................................................................................................................ .......................................................................#.........................../.u...,...9.....L.........P.....M...m.......-...\.J.u...7...`...........+.....~.'....~...............B....!."Q!..M...x.N...B...e.g.........?.....{.I.P.....f...V.....].c.{.d.....T.P.......+..E..3.....#.%......V.......$"N,T1.0.*.!..k.`...7.W.&.C.".}.\...g...).............<.*.=./.....\...z.......e...........N.....-......Z..............).-_*. 7...,.Q.....................D...........|.........u.........w...}.c.....R.R...]...1.2......L.<.j.....j.f....-.e .'.&..%.....................^...!.g.............k.;.M.....&.G...D.....P.......k.....t...l.K.P......=....J.....

                                                                                                                                                    C:\Program Files\FreeFileSync\Resources\gong.wav (copy)

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):230274
                                                                                                                                                    Entropy (8bit):5.828753704400131
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:6144:aNjvtDzBKXy1MzW3zioFQwGnJvCAIGLmr:azdzvDnGJ7IGqr
                                                                                                                                                    MD5:7DFF321C9C0DFBA94C1FD67B621DD759
                                                                                                                                                    SHA1:DA8910DF016404C38B0C77490D8DEEB15F6FEB73
                                                                                                                                                    SHA-256:7F6C0F42AF2125813D3FD67E57D2CF885D7D6567FBF076DAF7C13321FBB46D80
                                                                                                                                                    SHA-512:129E8BB6D545B22B552AD293101084A604E8B493A848DA9C019439F56EE073B124A53639B253E984F4835CAC2B4F907C98DAEEF2B10266E396D89EEBF60F1651
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:RIFFz...WAVEfmt ........D....X......dataV...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Program Files\FreeFileSync\Resources\harp.wav (copy)

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):182060
                                                                                                                                                    Entropy (8bit):6.567289215526673
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3072:HznYojw9VI12joRDa1CxhDkGA6mHMkhcHijrbfr4JWILrqEOkMZrxu2+Hcd1MFq8:HjY98a1+SeSrbf8Tl1MZv8cHMn
                                                                                                                                                    MD5:E875FAD9206AA9A9F5D48FD9FC46EF69
                                                                                                                                                    SHA1:D18C4C8B93A2372AF83E613BBE9E447D4D205C7F
                                                                                                                                                    SHA-256:31DA846077E99BF11F95477B9547513D04DF8048914FA7AC8EC4087B7889C4B0
                                                                                                                                                    SHA-512:DC4E16216D64DB7A41B357A6C181EDFDAF5ED6B0BEEB640FFFD6F5752583105C9C0CBCD411F7971FA8A7C7C7DE5A85E74AD98DB470AFD1EE4D0432CF9EC2A1D7
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:RIFF$...WAVEfmt ........D....X......data................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Program Files\FreeFileSync\Resources\is-8TU6B.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):182060
                                                                                                                                                    Entropy (8bit):6.567289215526673
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3072:HznYojw9VI12joRDa1CxhDkGA6mHMkhcHijrbfr4JWILrqEOkMZrxu2+Hcd1MFq8:HjY98a1+SeSrbf8Tl1MZv8cHMn
                                                                                                                                                    MD5:E875FAD9206AA9A9F5D48FD9FC46EF69
                                                                                                                                                    SHA1:D18C4C8B93A2372AF83E613BBE9E447D4D205C7F
                                                                                                                                                    SHA-256:31DA846077E99BF11F95477B9547513D04DF8048914FA7AC8EC4087B7889C4B0
                                                                                                                                                    SHA-512:DC4E16216D64DB7A41B357A6C181EDFDAF5ED6B0BEEB640FFFD6F5752583105C9C0CBCD411F7971FA8A7C7C7DE5A85E74AD98DB470AFD1EE4D0432CF9EC2A1D7
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:RIFF$...WAVEfmt ........D....X......data................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Program Files\FreeFileSync\Resources\is-94DHL.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):114220
                                                                                                                                                    Entropy (8bit):5.815286660197201
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:6ToO1ilKTJMbmAiekySMd10fQfYKs2LfjfN2IupDrOQnQ6a+wX43E5PF:6TTiEMmFekySMH03KsiQDrO1D
                                                                                                                                                    MD5:9B9C547DA31F05167D03B9A9C4794A1E
                                                                                                                                                    SHA1:5CB65DA494D1BE506D00CCFC523D39C1AF4BF44E
                                                                                                                                                    SHA-256:CC8E7CED06DED913DC63F3DC48442D4B78247E98A0B1481ABAD421446E7B9725
                                                                                                                                                    SHA-512:97A0199C1B76A1B9FC54A7DFA52197754905248921D2268D2D963EAABB3DDCA6401389B61E44278E8179532E08FC82D0F75B3EADB8D8B1026F0508709958F132
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:RIFF$...WAVEfmt ........D....X......data................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Program Files\FreeFileSync\Resources\is-A5FO7.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:Unicode text, UTF-8 text
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):236849
                                                                                                                                                    Entropy (8bit):6.003001911190803
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:6144:ecRqlx9NFqI6FdZL52dTOgSQh1hV1A9W2u2x:ecCnd6fZL5mO41hXA9Wkx
                                                                                                                                                    MD5:92C13373D7DBE43BDC167479274A43E2
                                                                                                                                                    SHA1:B0A93C92A2358CD0D9E9D202B6D60B69DF9DAB0B
                                                                                                                                                    SHA-256:BB1782D281FE60D4A2DCF41BC229ABE3E46C280212597D4ABCC25BDDF667739B
                                                                                                                                                    SHA-512:26C6FA1AC7BCFD523F9AB9E6C2D971103CCFC610AD0DF504D4E9B064DAD74576D77240C052B808F4C37C9240302A7E973A20F79EE39AC7BF3201A6FA9F0DFA96
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:##.## Bundle of CA Root Certificates.##.## Certificate data from Mozilla as of: Tue Nov 26 13:58:25 2024 GMT.##.## Find updated versions here: https://curl.se/docs/caextract.html.##.## This is a bundle of X.509 certificates of public Certificate Authorities.## (CA). These were automatically extracted from Mozilla's root certificates.## file (certdata.txt). This file can be found in the mozilla source tree:.## https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt.##.## It contains the certificates in PEM format and therefore.## can be directly used with curl / libcurl / php_curl, or with.## an Apache+mod_ssl webserver for SSL client authentication..## Just configure this file as the SSLCACertificateFile..##.## Conversion done with mk-ca-bundle.pl version 1.29..## SHA256: 36105b01631f9fc03b1eca779b44a30a1a5890b9bf8dc07ccb001a07301e01cf.##...GlobalSign Root CA.==================.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAA

                                                                                                                                                    C:\Program Files\FreeFileSync\Resources\is-D7MVB.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):35092
                                                                                                                                                    Entropy (8bit):7.05611679728137
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:768:89J1rqJ2HjTExdYblpk7epJoAJ/Sc6CdbzCpOAXdGHb:CqJ2H/bl6NAJ6c6qlAXdub
                                                                                                                                                    MD5:8E77A356049413423D4B090EADAC4BA9
                                                                                                                                                    SHA1:989854EC030D81E7CBA8441DDB9DD1BF1AED7C87
                                                                                                                                                    SHA-256:7409AC35B27BA3D05326045F43EE2346679BE37A0CDA4333BFD6BB28E5C0595D
                                                                                                                                                    SHA-512:68DD934734A3153AB14F6C06FAB6CC84F9E4BA2D3FA19F2A651A0E83BBDD77438E472836FE762BCE1AC2904D7C8B613714878CB7FFB8360C6DAA1422E34EE00F
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:RIFF....WAVEfmt ........D....X......data.....................................&.7.8...........<.&................................................. ...............................?.).........................-.2...4.s...........M...'.:...T.Q...............7...I...K.......^...j.....=.......'.........k.b...........-...@.,.U...*.....>.............t.r.>....+.....o.....l.......;.......M.+.V.............+...t.)._.x.......U...e.......:...................d.\...y.............0.(.......\.I...S.........f.S.......[...<.....r.~.Q...!.).........G...........@...S.p.......O.r......!....b...............K.............c.g...v...I.l.....P.Y...........\.....9.........w.d.4.......l.H.G.........~.\.......+.............P.............<...R.@.B...o.x...+.\.o.l.:.#.>._.O.3.......g.....C.].0.....o...!.|.........6.....G.....[.K...f...j.....m.}..... .H.......\.......f.Y.8..................(.^.(.........K.........x...A.1...8.....Q...x.6...............U.$.......].R.........,.g...L.W.............#.;...r.N.~.#.v.

                                                                                                                                                    C:\Program Files\FreeFileSync\Resources\is-I98HC.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):67340
                                                                                                                                                    Entropy (8bit):6.249655199455427
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:8Jcv03vs0BhTFiC7v+CZ7lISS1Q02NVfto7tZ/rGLBTLfI:8CE5jFisv+CDIfiZq7fjt
                                                                                                                                                    MD5:C13B4139D1E32DCABDB8EEE9E699053D
                                                                                                                                                    SHA1:2932FD23C0E67A4E63CC720E8DCC094041B1E511
                                                                                                                                                    SHA-256:D6B7B4D6E7A38E58484FED53BDBB27C0D0097A58E6289BC5C06267C6B2C8D06A
                                                                                                                                                    SHA-512:0F00B8A6C530F3C05089BC403C2E118D5653E17F19FB1020A2B42BE66289F62EC5E39165AB1DF55C09FFC9E39A57471EB140DBE978CB6EC918A2DEAB7EB4CB66
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:RIFF....WAVEfmt ........D....X......data......#.j...............f.J._.......#.U.......t.......,...].....7.......M.......K...*.../...w.2...J.....e.|.p.C.......L...=.......B...........Q.~...6...../.U...............W.:.`...........&.;.%.&."...c...-.Q.....Z.4...Q.(.....?.v...J.s.B.r...............q.......l.i...9.p.U.......#..4.X.=.q.H.........G.............;.......k.....'...k...............B.a.O.1.~.........Y...........t.M...h._.]...P.....O...3.....=.0.........X.....(.....p.>...s.....x...f.5.I...x...............b.......&...j.......C...........<.z.!...6.......F..._.L...........P...g.....y.4.....0...g.h.^.....;.....Y.#..C.+..............k...........v.......9.c.,...x.....E.$.....e.....e......*.........D.....p.....=.................N.j.......I...E...].=......^.t.m........*.....x...........d.*.=............. .n.....[.......U.^.I.....<.|.......&.%.....].D.....]...q.....}...........V.K.x.......#.2.....o.........u.'...L...^.Y.6.9...b.X.........................>...............^...8.......

                                                                                                                                                    C:\Program Files\FreeFileSync\Resources\is-KIH76.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):54890
                                                                                                                                                    Entropy (8bit):6.922608548070075
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:k3RE1QCkFCNf8vCrzR6Rzrw7zRgxwqz5LI9jT7s:+zc8vCrYUzRb6+9v7s
                                                                                                                                                    MD5:E83E11BFCF969E11C40BB415D3F80D2B
                                                                                                                                                    SHA1:1D317B80265E40CCD7A31E8B2C09FB243FEBCBAF
                                                                                                                                                    SHA-256:0EF947556E4E00E3FCDB55EBEE46A6932F08111DC7D18C5E9AED1BD7D936E667
                                                                                                                                                    SHA-512:E220BCAEE82C9BB6FD035EEE7D5D9436765907231DF42D006EA072C2A26F526941BAE97684D4EE18AE86DA7104C2CB67D3228DD73FBA59F20AB246AF584D76EA
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:RIFFb...WAVEfmt ........D....X......data>...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................-.........7.....y...I.5))(..,.X....h.L.X.........P.............Q.'....#.....d.}...(..............2........(.$.....}.=........=.m..j._...}.......y...@.......T...2.......*.c...u.......1...A.)...P.....q.......8....%..,.v...,.......2.....................i.......0....[...........*.V.W...;.*.".....b.6...&...........W...].i.....V...O...9..._.}..$.u...b...............u.r.*.....d.....Y.R.....U.}...]...7.....A.........W.A...].....C.m...;.

                                                                                                                                                    C:\Program Files\FreeFileSync\Resources\is-OU4FF.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 24000 Hz
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):50454
                                                                                                                                                    Entropy (8bit):7.132841508547479
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:768:XR8h/Ashig01KTPg+tZXhbLkxmXwvBy4QfSuR37v5qzQRYG/gIez:Xfs0zkjft3fkxmOI4Q6uF7v5qzeJgIez
                                                                                                                                                    MD5:18BBD6A2A31120E65FBB59909674D339
                                                                                                                                                    SHA1:2DE3DFC75C04B3C38538F448C13B9C6529676A3D
                                                                                                                                                    SHA-256:2AC1CEF32CC5A514375AEF53D82B84F5BF7F5463520DA497C3DFCD41FFD0DCDA
                                                                                                                                                    SHA-512:AE1F60E8AB60A11F1E118F3951480D167A41076ED506913CCD67EE9A6255D41AC5A1E173265E30B8954937903BD028A3147F8F69845D2D18FB21F0562E9CD7F3
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:RIFF....WAVEfmt .........]..........data........................................................................................................................................................................................................................................................................................ .......................................................................#.........................../.u...,...9.....L.........P.....M...m.......-...\.J.u...7...`...........+.....~.'....~...............B....!."Q!..M...x.N...B...e.g.........?.....{.I.P.....f...V.....].c.{.d.....T.P.......+..E..3.....#.%......V.......$"N,T1.0.*.!..k.`...7.W.&.C.".}.\...g...).............<.*.=./.....\...z.......e...........N.....-......Z..............).-_*. 7...,.Q.....................D...........|.........u.........w...}.c.....R.R...]...1.2......L.<.j.....j.f....-.e .'.&..%.....................^...!.g.............k.;.M.....&.G...D.....P.......k.....t...l.K.P......=....J.....

                                                                                                                                                    C:\Program Files\FreeFileSync\Resources\is-R2L57.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 24000 Hz
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):59894
                                                                                                                                                    Entropy (8bit):6.838365676849903
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:UU+/iLUqeJcKYn9lgxaQDyJVv06RvWYI2SN6gQVfF:UUocOyoa93v061WYI2TF
                                                                                                                                                    MD5:654A9C620731AE72D26D3777418FA647
                                                                                                                                                    SHA1:B1CAB3E17046914CDB3F4D22DC3A71F747F8728E
                                                                                                                                                    SHA-256:E6A06409A9B1AF41FC2242AB98D8B8F588B54DB7ED583C299838D135CE2A1D73
                                                                                                                                                    SHA-512:CC7E0328249A3A08AB533153C168B707A30B0223D9AEDE1BD84AB1B33A3B5D60193120019B25BD8C18B92B454C14F653A54D31EC00F0DFF41CA60C8E020CB573
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:RIFF....WAVEfmt .........]..........data....................3.>...%...z.......[.Z.....K.....G.....N.....Z.'.....h.w.......>.!....... .................=.....:.%...e.....I.....4.....W.....................;.....5.......@.....S.#...M.E.....8...4.Y.......!.....s.<.8.R.T...k.a.a.f.^...G.......2.......[.....k.........}..........z..o.............;.]...)...............I.r...m.e.....0...".....$.'.J.h.=...L.................e.2.....N.c...S...$...q...v.[..........................i.w...d.%._.1.;...].s.N...g.....#.v.l......z.i..9.H...$.*.....D.h.s...z.............N.`...M.....8.L.I...0.. ../.}.5.R.......g.......-.I.-....[...!.........Y...A.....$.Z.....d.}..............[.....b...H.n.......p.......~...'.c.......e......m...(.\...T.a.x.9.....>.......6.I...........K.............U!..../.............b.........:.\.......w.....[..........._.........k.2.s.=...x...0.P...q...................H...v...=............2.............D.j...V.......;...3.s.....J...7.....8...................!.......H.....D.

                                                                                                                                                    C:\Program Files\FreeFileSync\Resources\is-RASIR.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):87678
                                                                                                                                                    Entropy (8bit):6.600950279412908
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:MihVUU7j10GvDy2s65epfQ3XR7xTv7sHb+SAAVOhYmfE5RpX0+j6q2AcXe4Ldpq8:7UU7j6GjXDpEZAAVhD0+j6ve4hpq8
                                                                                                                                                    MD5:00E641ECF71AAFBEDF54F6D948CA8B58
                                                                                                                                                    SHA1:D235AB2E36BBD4974D6628FAAB9622A4D77F9328
                                                                                                                                                    SHA-256:0D670F271DBC8DDD1F8ADD6C01CDAD1678E8D968A38482A09B69AF2A4E12C3C2
                                                                                                                                                    SHA-512:AED88A9E8D1611C79F92AD19E5F6C5B0BD67BE9D9A72D62FFE7F99E8BD5FAEC98823EBCF245C88B8E14FCCDFED203532165D36D9DDAABC12303CF043C01D8E84
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:RIFFvV..WAVEfmt ........D....X......dataRV......................4.z.1.U.&.........x...w.......e.F.N...{...$...,.....i.2.......!.~.0...,.....H.I.Q.................*.1...............U.D.....v.g.....0...........V.X.o.j.2.Z.d.1. .........(.P...[.?....................K.-............[.......+...............w...@...N...8.....i.....".....+...N...........F.......%.....N.......E.......=.................T...'.7.U.i...>.j.........!.....M.,...:.........,...Q.......H...&...a...l...............C.......a.........,...e...+...@.0./...".a.&.....1.i...%.........7.......W.....[.,.A...`...>.....V.(.....9.(.;.(...v... ./.S.....#.........P.....(...L.....F.Q.....m...~.......`.......Q.7.1...N.....g.U.....4.................F.S.#.....0.`...*...............R...:.......<...j.............$.E.W.....~...r.P.......N...,.............%.L.....@...H...p.........0..."...L.......|.....#.;...W.....j.:...G.................U.?.....].........R.1.............}.......:.........6.k...P...r.....;...............u.K... .9.....?.

                                                                                                                                                    C:\Program Files\FreeFileSync\Resources\is-SMVCI.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):524890
                                                                                                                                                    Entropy (8bit):7.998477275593787
                                                                                                                                                    Encrypted:true
                                                                                                                                                    SSDEEP:12288:tHWwVw5n/cZGaKwH3OPaLBu5dTz/QoFk3mTiJYEyRLrO0NOwbVFEL:t2wVw5n63KwHeSLBurtC1a2sDQ
                                                                                                                                                    MD5:49DF22A8504B30AC0E66D0A8521BEFF2
                                                                                                                                                    SHA1:2ACDA03760A6EC4D1196197CF83A61FBB8965952
                                                                                                                                                    SHA-256:AF05178F06ECD3F8E8235DE53A91AAE011D75E6F78772B700D7C6B40D5B60479
                                                                                                                                                    SHA-512:EAFD5C5DCE9CF45B5DDA23DF702E73F60FDF6DBD163103D17C6D96179F70327896642EE89E071E6980308F0E5E60964F056D2DF86C0F5689BD35B1D0BCC8522C
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:PK.........}uY...!zF...T......bulgarian.lng.]_o.Gr.>.....D.@\E. ...c[....8...h...........'.:.....F..l'.`..+....3.(]U.3=..3.. @.......U..Uu.....7z...~..`/.{.....?.....$...e...~.../~..'~....]..}...{<.xy...?.i.l...8..x...[,`......b...=.$.A..$.....~.y...w....q.F}..wx.....o..l.w....x[.=7yS<a..l....9.&,...e...l.....d..evI....G.4p.Gn?q..{_.,.e.O8..1.p.2(.0......L.9.. .....(.x....~8.w.?.-...I.......-.O..:...]Wa.....<..E]..Fn4..X.u.z...`..^~,...Z.G..0.k.M.?..8X....t4.#X..79p.9....A..w..Q...43.#.JHuB.,@.G(...,;........-.s.?V+.)>.5,0.........?.X.*...../.6.F..j......q..ks1.,......L.z.d...N..3..V..4........U.....t......g.....9..R.;.u.. ....q..../...p..7..q}.f...p...*..<J;I.6..8.Y6..{...8.&<n.q...t<X.0.9-F.,.....Gc...;..........B.t...S.IOq...M.Gh....T`.`k...i.{..3/..4.._....yL..e.dF.ff3............7.17...Y.?.b..3.......%(..C&..{f.......h..I...C.'k..~.....AxP..M.;.`.2b....B....v.}!.n.a.'.hw\..G..7d....S.[....TD..r.1...wWlw=xp..s..[-.E....=UA.M...k.z.-..

                                                                                                                                                    C:\Program Files\FreeFileSync\Resources\is-T210P.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):102500
                                                                                                                                                    Entropy (8bit):6.555433845117635
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:DZbfe8QjDm2KS6RZD1FKtHNXM7g4dCJulvE7+O3zTPDOcxuVyyqqLYET7GLpQM8f:DVf2h6RVSmdE0xO3Hb9uMdVLJA
                                                                                                                                                    MD5:39A54BA919BA15551573DB2D39BA7440
                                                                                                                                                    SHA1:E595DA7379327C5AFABCE031B75C6573D0A0206A
                                                                                                                                                    SHA-256:F7EBAF259755C2F7DDBFE48E0D5351EDA8DC974C1C7A954D25EBE97BBF1CEF4A
                                                                                                                                                    SHA-512:15BF3DBFC055C27AD5AEA4C34874A850A9C97AB24C12E3C2428AC9A7C683E221FF2CA7C6283493272D7B37FA541F4EBC564316186CBDEC8F5F193EA3E3B7915E
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:RIFF\...WAVEfmt ........D....X......data8...r...!...........j.+...'...=...9.X.0...N...C...R.......+............./...6.l.J...f...........;.5...U.U.......t.....Z.=...B.........9...j...@.>.......1.....W.a.....C.........................1.......+.....0.............................7...4.I...........a.....f.............P...............+.V.2...p.|... ...{.....C.X.<.....N.....^.............].....N........x...........{.........3.............{.....D...{..._.).x./...;.o.Z..... ...`.<.............5.............3.......;.....$...X..X...,...j...O.?.....W...2...o.w.!...%...m.:.y...-.&...G.....................f.|.....\.|.s.....=...........;.O.......d...n...c.$...p...S...............(.............%.................^."...t.g.c.q.........r...9.........................Q.2.....?.Y...$.l...W.......*.....s.....D.....A.....B.H.U.M...|...d.N...b...........7.......'...}.d.......h.......(. .x.....L.Z.q...`...+..I...@.....T.p.z.......9...E...r.G.U.x.y.................7...Q.......#...h...........5...@...Q....._.

                                                                                                                                                    C:\Program Files\FreeFileSync\Resources\is-ULEV9.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:Zip archive data, at least v1.0 to extract, compression method=store
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):351747
                                                                                                                                                    Entropy (8bit):7.899316585167089
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:6144:CAQnMm4AzR2iT0BeyMcEMHeBs/bhkS/vQQbOY+LX8d3pukVMQyP:CNX0iIBeyf+Bsdkg4yymuhfP
                                                                                                                                                    MD5:EB2B74B48971C9EE1F8739C047AEC356
                                                                                                                                                    SHA1:11B2576621F710513B34CCEDC33E86C6DBBE82BF
                                                                                                                                                    SHA-256:BD77639AE7610479AC31B66534A5AB8B84A3497DFC9DD2007FED40A565E0E7E8
                                                                                                                                                    SHA-512:D49E6F4F88C700BA6C821B8D20D1745EA456362675E8253307B8CC5B0467AE8506E53DFADDA4A4E1F7FD8D8F4DB0BBA369E4DCB194D3EDAA03A1058F76E4635C
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:PK........y..V................about.png.PNG........IHDR... ... .....szz.....tIME.....+2...%....pHYs...#...#.x.?v....gAMA......a.....IDATx...XTW../]1&k,.$&F,.((F.5.P. ....C..3 ...v...Q....m..A...!.A1.V..Q......!Fe....~.{.....=...!.... .W.G'..7.G.<Z.&..-Uy...e....Dg.)......#.OP....u.,^...H...9.K....J~x....].G.`.{.V|]s.i.-]k...;k.m.N.$..........H..^I..;N.E.4c...".o"8.........A.u...D@.u......"s..7..O^.}i........\....]..E.........d6.y..p.8f\...~.e.mo.-e.7..i..x.....n[E....2y.._2.+Sh.Dl..P.=..dbM..v...`.~.V__....n;..wu....X.v..(....4..KS.a......X./m....S...j@&K.t...k.S...M.,.j.....*.x..<...q...<~.....q..*._.a.....,.;.9..k..d.9._..I.c..M.ry.Z.....*..5...{.X....a~..f....t....x....C'.0;.{|..3C.8.a.|..).1.o..~a...4...0..).Ib.f....ST..[.._....x......Zw.3.y...^.$....#..>*:....d........n.....p....G.G0j.i..........MtL\....by..V...Z....e.H[..k $B>c....3WW.Hv............>.<h.....L.9.i.J.C)..c..$...6.o.%.q.....+..6....*.....!..~.?......A.AL.d...1..

                                                                                                                                                    C:\Program Files\FreeFileSync\Resources\is-VNAJ7.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):230274
                                                                                                                                                    Entropy (8bit):5.828753704400131
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:6144:aNjvtDzBKXy1MzW3zioFQwGnJvCAIGLmr:azdzvDnGJ7IGqr
                                                                                                                                                    MD5:7DFF321C9C0DFBA94C1FD67B621DD759
                                                                                                                                                    SHA1:DA8910DF016404C38B0C77490D8DEEB15F6FEB73
                                                                                                                                                    SHA-256:7F6C0F42AF2125813D3FD67E57D2CF885D7D6567FBF076DAF7C13321FBB46D80
                                                                                                                                                    SHA-512:129E8BB6D545B22B552AD293101084A604E8B493A848DA9C019439F56EE073B124A53639B253E984F4835CAC2B4F907C98DAEEF2B10266E396D89EEBF60F1651
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:RIFFz...WAVEfmt ........D....X......dataV...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Program Files\FreeFileSync\Resources\notify.wav (copy)

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):54890
                                                                                                                                                    Entropy (8bit):6.922608548070075
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:k3RE1QCkFCNf8vCrzR6Rzrw7zRgxwqz5LI9jT7s:+zc8vCrYUzRb6+9v7s
                                                                                                                                                    MD5:E83E11BFCF969E11C40BB415D3F80D2B
                                                                                                                                                    SHA1:1D317B80265E40CCD7A31E8B2C09FB243FEBCBAF
                                                                                                                                                    SHA-256:0EF947556E4E00E3FCDB55EBEE46A6932F08111DC7D18C5E9AED1BD7D936E667
                                                                                                                                                    SHA-512:E220BCAEE82C9BB6FD035EEE7D5D9436765907231DF42D006EA072C2A26F526941BAE97684D4EE18AE86DA7104C2CB67D3228DD73FBA59F20AB246AF584D76EA
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:RIFFb...WAVEfmt ........D....X......data>...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................-.........7.....y...I.5))(..,.X....h.L.X.........P.............Q.'....#.....d.}...(..............2........(.$.....}.=........=.m..j._...}.......y...@.......T...2.......*.c...u.......1...A.)...P.....q.......8....%..,.v...,.......2.....................i.......0....[...........*.V.W...;.*.".....b.6...&...........W...].i.....V...O...9..._.}..$.u...b...............u.r.*.....d.....Y.R.....U.}...]...7.....A.........W.A...].....C.m...;.

                                                                                                                                                    C:\Program Files\FreeFileSync\Resources\notify2.wav (copy)

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):114220
                                                                                                                                                    Entropy (8bit):5.815286660197201
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:6ToO1ilKTJMbmAiekySMd10fQfYKs2LfjfN2IupDrOQnQ6a+wX43E5PF:6TTiEMmFekySMH03KsiQDrO1D
                                                                                                                                                    MD5:9B9C547DA31F05167D03B9A9C4794A1E
                                                                                                                                                    SHA1:5CB65DA494D1BE506D00CCFC523D39C1AF4BF44E
                                                                                                                                                    SHA-256:CC8E7CED06DED913DC63F3DC48442D4B78247E98A0B1481ABAD421446E7B9725
                                                                                                                                                    SHA-512:97A0199C1B76A1B9FC54A7DFA52197754905248921D2268D2D963EAABB3DDCA6401389B61E44278E8179532E08FC82D0F75B3EADB8D8B1026F0508709958F132
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:RIFF$...WAVEfmt ........D....X......data................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Program Files\FreeFileSync\Resources\remind.wav (copy)

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 24000 Hz
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):59894
                                                                                                                                                    Entropy (8bit):6.838365676849903
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:UU+/iLUqeJcKYn9lgxaQDyJVv06RvWYI2SN6gQVfF:UUocOyoa93v061WYI2TF
                                                                                                                                                    MD5:654A9C620731AE72D26D3777418FA647
                                                                                                                                                    SHA1:B1CAB3E17046914CDB3F4D22DC3A71F747F8728E
                                                                                                                                                    SHA-256:E6A06409A9B1AF41FC2242AB98D8B8F588B54DB7ED583C299838D135CE2A1D73
                                                                                                                                                    SHA-512:CC7E0328249A3A08AB533153C168B707A30B0223D9AEDE1BD84AB1B33A3B5D60193120019B25BD8C18B92B454C14F653A54D31EC00F0DFF41CA60C8E020CB573
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:RIFF....WAVEfmt .........]..........data....................3.>...%...z.......[.Z.....K.....G.....N.....Z.'.....h.w.......>.!....... .................=.....:.%...e.....I.....4.....W.....................;.....5.......@.....S.#...M.E.....8...4.Y.......!.....s.<.8.R.T...k.a.a.f.^...G.......2.......[.....k.........}..........z..o.............;.]...)...............I.r...m.e.....0...".....$.'.J.h.=...L.................e.2.....N.c...S...$...q...v.[..........................i.w...d.%._.1.;...].s.N...g.....#.v.l......z.i..9.H...$.*.....D.h.s...z.............N.`...M.....8.L.I...0.. ../.}.5.R.......g.......-.I.-....[...!.........Y...A.....$.Z.....d.}..............[.....b...H.n.......p.......~...'.c.......e......m...(.\...T.a.x.9.....>.......6.I...........K.............U!..../.............b.........:.\.......w.....[..........._.........k.2.s.=...x...0.P...q...................H...v...=............2.............D.j...V.......;...3.s.....J...7.....8...................!.......H.....D.

                                                                                                                                                    C:\Program Files\FreeFileSync\Uninstall\is-EQHL2.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):3414640
                                                                                                                                                    Entropy (8bit):6.589239930239391
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:49152:udJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQi333qFI:AJYVM+LtVt3P/KuG2ONG9iqLRQi333q
                                                                                                                                                    MD5:AFC70B74FF6456A1DB47AA6A5480A389
                                                                                                                                                    SHA1:DA7D29720A817A677DCC6AD09ACE07159D1013DA
                                                                                                                                                    SHA-256:A23438A6655F6F3AA29657497F82E841CF7B7A5E2FACC86A469F3DFBBE800CEF
                                                                                                                                                    SHA-512:05DAC7C5379D1E89D4E5FF1F0371B00769C64ACEE01AF0AC53821D5E1A38D3515DC689D76A9ABDC55D4EE43C68555A3A4A05B270E7E396A97376186BA9A3D368
                                                                                                                                                    Malicious:false
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*..,........*.......*...@...........................4.......4...@......@...................P,.n.....,.j:...P0.Ll............3.p(....,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc...Ll...P0..n..../.............@..@.............04......`3.............@..@................

                                                                                                                                                    C:\Program Files\FreeFileSync\Uninstall\unins000.dat

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:InnoSetup Log \001\357\273\277F\357\273\277r\357\273\277e\357\273\277e\357\273\277F\357\273\277i\357\273\277l\357\273\277e\357\273\277S\357\273\277y\357\273\277n\357\273\277c, version 0x418, 56033 bytes, 320946\37\user\376\, C:\Program Files\FreeFileSync\376\377\377\
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):56033
                                                                                                                                                    Entropy (8bit):3.924045111043732
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:768:JKTO1VoPBjc0wTe9IlhYbFVbMQFNIbWFycrptofPy2bzD1Ti+xIA+g:muVopjcvPYgmQ
                                                                                                                                                    MD5:3C4601BA30038DE5CC252228BB34C0EC
                                                                                                                                                    SHA1:CFFB2F6D1E4C7213913A096B1FD7D222029D6B70
                                                                                                                                                    SHA-256:205908B88D826F06D825FAF0CF9EEA30C3924EE91E7F91FA3D31782A4EF4101D
                                                                                                                                                    SHA-512:E2FC33E23C7353415CD9C1FBD1E94934A87AA06376092AE72EA2D32EB858E8B836986F82CD591BD7C95C4DB5EC1EDA02C9E6C61198579979B6E8851C3DE5BF45
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:Inno Setup Uninstall Log (b)....................................FreeFileSync......................................................................................................................F.r.e.e.F.i.l.e.S.y.n.c...................................................................................+.......................................................................................................................E..#......... @.......s........3.2.0.9.4.6......c.a.l.i......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.r.e.e.F.i.l.e.S.y.n.c..................9.... ...........U..IFPS....D........................................................................................................ANYMETHOD.....................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TMAINFORM....TMAINFORM.........TUNINSTALLPROGRESSFORM....TUNINSTALLPROGRESSFORM.........TCONTROL....TCONTROL.............................................

                                                                                                                                                    C:\Program Files\FreeFileSync\Uninstall\unins000.exe (copy)

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):3414640
                                                                                                                                                    Entropy (8bit):6.589239930239391
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:49152:udJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQi333qFI:AJYVM+LtVt3P/KuG2ONG9iqLRQi333q
                                                                                                                                                    MD5:AFC70B74FF6456A1DB47AA6A5480A389
                                                                                                                                                    SHA1:DA7D29720A817A677DCC6AD09ACE07159D1013DA
                                                                                                                                                    SHA-256:A23438A6655F6F3AA29657497F82E841CF7B7A5E2FACC86A469F3DFBBE800CEF
                                                                                                                                                    SHA-512:05DAC7C5379D1E89D4E5FF1F0371B00769C64ACEE01AF0AC53821D5E1A38D3515DC689D76A9ABDC55D4EE43C68555A3A4A05B270E7E396A97376186BA9A3D368
                                                                                                                                                    Malicious:false
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*..,........*.......*...@...........................4.......4...@......@...................P,.n.....,.j:...P0.Ll............3.p(....,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc...Ll...P0..n..../.............@..@.............04......`3.............@..@................

                                                                                                                                                    C:\Program Files\FreeFileSync\Uninstall\unins000.msg

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:InnoSetup messages, version 6.0.0, 261 messages (UTF-16), Cancel installation
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):24089
                                                                                                                                                    Entropy (8bit):3.274664443443748
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:192:61EjNSCkf3SCqsTr6CCPanAG1GznL7VV+Iqfc51USQDztXfbKJG/pfx:61EK6CHr6f5H+7Q1USQDztB/Rx
                                                                                                                                                    MD5:6F54066EB96F26B2BD0FCE8DA6B5F146
                                                                                                                                                    SHA1:2A20CA3C15D82635C727FC4F7B1BABDC5E68032F
                                                                                                                                                    SHA-256:13841813BF9AC9E34D496D865D80C6DF6A40EAF0DD6C3793CF6B53089419FDCD
                                                                                                                                                    SHA-512:A329EE5758A8FE2D69A791B2304FB0E22AEFC5F192D3CC6B6248842C82E8D835BAA861A762B6E3F7B2EFE4AD2DDE1692924CF8193EA9A5F0DC367F4C66F89309
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:Inno Setup Messages (6.0.0) (u)......................................]..3....2t.C.a.n.c.e.l. .i.n.s.t.a.l.l.a.t.i.o.n...S.e.l.e.c.t. .a.c.t.i.o.n...&.I.g.n.o.r.e. .t.h.e. .e.r.r.o.r. .a.n.d. .c.o.n.t.i.n.u.e...&.T.r.y. .a.g.a.i.n...&.A.b.o.u.t. .S.e.t.u.p.........%.1. .v.e.r.s.i.o.n. .%.2.....%.3.........%.1. .h.o.m.e. .p.a.g.e.:.....%.4.....A.b.o.u.t. .S.e.t.u.p...Y.o.u. .m.u.s.t. .b.e. .l.o.g.g.e.d. .i.n. .a.s. .a.n. .a.d.m.i.n.i.s.t.r.a.t.o.r. .w.h.e.n. .i.n.s.t.a.l.l.i.n.g. .t.h.i.s. .p.r.o.g.r.a.m.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.c.o.m.m.e.n.d.e.d. .t.h.a.t. .y.o.u. .a.l.l.o.w. .S.e.t.u.p. .t.o. .a.u.t.o.m.a.t.i.c.a.l.l.y. .c.l.o.s.e. .t.h.e.s.e. .a.p.p.l.i.c.a.t.i.o.n.s.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.

                                                                                                                                                    C:\Program Files\FreeFileSync\User Manual.pdf (copy)

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:PDF document, version 1.4
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):1184858
                                                                                                                                                    Entropy (8bit):7.9402035905593955
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:24576:6l7kUF9mZjMk+kbTBscPr436Igjl7F+c93ZlWuajrb7:6lTF81D+kpfT436FD9muajrb7
                                                                                                                                                    MD5:321704EB18195DCE4C1078EADD53C688
                                                                                                                                                    SHA1:3E68163477D347BE9822453CE42D144E0EEBA1D7
                                                                                                                                                    SHA-256:32E221D0A3F2CE1E4963006EE95FC0FD2FB4C63CD56113C4021BDF1FBBE8C82D
                                                                                                                                                    SHA-512:6827089989FA2C1FF1C6E6DF09329B235A507ED078B03F984BF03E14B7B742961B4133A70AF647AA58A08D5DAD49799490B66E1E7E0ADD7EA1B44557CBCE4180
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:%PDF-1.4.1 0 obj.<<./Title (...M.a.n.u.a.l. .-. .F.r.e.e.F.i.l.e.S.y.n.c)./Creator (...w.k.h.t.m.l.t.o.p.d.f. .0...1.2...6)./Producer (...Q.t. .4...8...7)./CreationDate (D:20241207103401+01'00').>>.endobj.3 0 obj.<<./Type /ExtGState./SA true./SM 0.02./ca 1.0./CA 1.0./AIS false./SMask /None>>.endobj.4 0 obj.[/Pattern /DeviceRGB].endobj.6 0 obj.<<./Type /XObject./Subtype /Image./Width 572./Height 575./BitsPerComponent 8./ColorSpace /DeviceGray./Length 7 0 R./Filter /FlateDecode.>>.stream.x..w@......J ........{=..z...b=..b...;..v...;J.D.H.....v}..H'...d~..'......73......J@.......;.9.]....nJ...............R.................."QK.D..S..k$.....J.Q...h**...3.0e........d}}..........}}..z......i$q.R.R.o.P&e....T.2c.1aP_...MLL..-,..K..077351116BEBMB5.h$Q.(1.L.U.z.eP.m*.)....chdd......ccck......}.....[9;.....XYZZX.....a......q.. I.....?..2mtu...c.3.+k[;.'g..W..m..zx...s..}.y..9z..a^.{w...S......qsm.....`ogceafbD... -b...._...............M..^......3n.).~......,.....k...y+...

                                                                                                                                                    C:\Program Files\FreeFileSync\is-81S7P.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:PDF document, version 1.4
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):1184858
                                                                                                                                                    Entropy (8bit):7.9402035905593955
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:24576:6l7kUF9mZjMk+kbTBscPr436Igjl7F+c93ZlWuajrb7:6lTF81D+kpfT436FD9muajrb7
                                                                                                                                                    MD5:321704EB18195DCE4C1078EADD53C688
                                                                                                                                                    SHA1:3E68163477D347BE9822453CE42D144E0EEBA1D7
                                                                                                                                                    SHA-256:32E221D0A3F2CE1E4963006EE95FC0FD2FB4C63CD56113C4021BDF1FBBE8C82D
                                                                                                                                                    SHA-512:6827089989FA2C1FF1C6E6DF09329B235A507ED078B03F984BF03E14B7B742961B4133A70AF647AA58A08D5DAD49799490B66E1E7E0ADD7EA1B44557CBCE4180
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:%PDF-1.4.1 0 obj.<<./Title (...M.a.n.u.a.l. .-. .F.r.e.e.F.i.l.e.S.y.n.c)./Creator (...w.k.h.t.m.l.t.o.p.d.f. .0...1.2...6)./Producer (...Q.t. .4...8...7)./CreationDate (D:20241207103401+01'00').>>.endobj.3 0 obj.<<./Type /ExtGState./SA true./SM 0.02./ca 1.0./CA 1.0./AIS false./SMask /None>>.endobj.4 0 obj.[/Pattern /DeviceRGB].endobj.6 0 obj.<<./Type /XObject./Subtype /Image./Width 572./Height 575./BitsPerComponent 8./ColorSpace /DeviceGray./Length 7 0 R./Filter /FlateDecode.>>.stream.x..w@......J ........{=..z...b=..b...;..v...;J.D.H.....v}..H'...d~..'......73......J@.......;.9.]....nJ...............R.................."QK.D..S..k$.....J.Q...h**...3.0e........d}}..........}}..z......i$q.R.R.o.P&e....T.2c.1aP_...MLL..-,..K..077351116BEBMB5.h$Q.(1.L.U.z.eP.m*.)....chdd......ccck......}.....[9;.....XYZZX.....a......q.. I.....?..2mtu...c.3.+k[;.'g..W..m..zx...s..}.y..9z..a^.{w...S......qsm.....`ogceafbD... -b...._...............M..^......3n.).~......,.....k...y+...

                                                                                                                                                    C:\Program Files\FreeFileSync\is-8FVAV.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):147223
                                                                                                                                                    Entropy (8bit):4.884422991548549
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3072:njjdQgWoXi9Wpsy8tLd3oXU91w28OvY+KlAd7J:TTmy2oks+KAd7J
                                                                                                                                                    MD5:6E6DBAD61ECC2B74C8150A227CD51FB5
                                                                                                                                                    SHA1:746924D5F98F9B4428A17CE36FA02B0459E9BC09
                                                                                                                                                    SHA-256:CF47B6710F5ADD5EB9BF4A4455507A123E17BE212D64A266ED57E1539ACB3EBB
                                                                                                                                                    SHA-512:A95B93CB659282B978271389681C63964DD85E3E21F42C678A6932E1073D8BBB7A1269898C4CA3FB7017A8FE7496CB11B4A54F043D5C6FC1FB33F2C675C42646
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:FreeFileSync 13.9 [2024-12-07]..------------------------------..Fixed CURLE_SEND_ERROR: OpenSSL SSL_write: SSL_ERROR_SYSCALL, errno 0..Added comparison and sync context menu options for multiple folder pairs..Show file include/exclude filter directly in tooltip..Fixed file not found error when cancelling file up-/download..Fixed showing cancelled config log status after nothing to sync..Updated translation files......FreeFileSync 13.8 [2024-11-04]..------------------------------..Support raw IPv6 server address for (S)FTP..RealTimeSync: Fixed scrollbar when adding/removing folders..Don't set sync direction for partial folder pairs..Uniquely identify partial folder pairs in error message..Fixed network login prompt not showing in Windows 11 24H2......FreeFileSync 13.7 [2024-06-23]..------------------------------..Support copying symlinks between SFTP devices..Fixed input focus not being restored after comparison/sync..Fixed log file pruning not considering selected configuration..Show s

                                                                                                                                                    C:\Program Files\FreeFileSync\is-J31F1.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):390256
                                                                                                                                                    Entropy (8bit):6.134884165717768
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:6144:B5EBllbJaaRqWCMjtIj2UpComPU8kmz7ia0oQhX:BiBllVfRqWCMYQUzeNLQh
                                                                                                                                                    MD5:93B8B77BAE7AF0FA64E9F59F8C15351E
                                                                                                                                                    SHA1:A01661073A1E0BB9EC697645EA2F5D36DDD66530
                                                                                                                                                    SHA-256:F4D1BBDBB75ED4017ADCEF6295DB223D5B633B9AFD88FD016E86434EDB97A262
                                                                                                                                                    SHA-512:FA804AA8E41647330512F00BDFA70BC6020C6CDC1AF24C2788D65CE7BD495B7007C9D4B119C9CBE571BF9089CF5843A5118690ED3956A2684403638251473D51
                                                                                                                                                    Malicious:false
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........$b..E...E...E...=...E...=..AE...=...E.......E.......E.......E...=...E...=...E...E.. E..l....E..l...E..l....E..Rich.E..................PE..L.....Tg...............*..........................@..........................P...........@....................................P.......................p(... ...%...d..T....................d......Xc..@............................................text...$........................... ..`.rdata..b...........................@..@.data....^...........~..............@....rsrc...............................@..@.reloc...%... ...&..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Program Files\FreeFileSync\is-J98NS.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:Rich Text Format data, version 1, ANSI, code page 1252
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):52941
                                                                                                                                                    Entropy (8bit):4.834889561469989
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:768:4IwnwOuD+WlljeKquwIx0i5D/e1iHdTcoPhpkYp/T/FXOx0Bpm3APzB4D:j1OuljeMr5DGwxUETy0Bpm3Al4D
                                                                                                                                                    MD5:EE9B7FD879D57A35B5F0F575A1755F71
                                                                                                                                                    SHA1:D3CA973EAA0EC74845E2E7851A6837AE08906E67
                                                                                                                                                    SHA-256:ADC61454C4F9DA3C500501D33E2949EC5B0B857C57B3CF2FD172FBFF2BF76CDB
                                                                                                                                                    SHA-512:D32DBF8B3AB9155F008F1283D4F37225E8B66A71F3E58BC1FED566EA8FC3618773DD73A677C772BE0EA4854D75264A8765EB0A3C480418A73060ED93D4B502CF
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deftab709{\fonttbl{\f0\fswiss\fprq2\fcharset0 Segoe UI;}}..{\colortbl ;\red0\green0\blue255;\red0\green0\blue128;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\nowidctlpar\hyphpar0\qc\kerning1\f0\fs26\lang1031 FreeFileSync: Terms of Use\par....\pard\nowidctlpar\hyphpar0\fs22\par..The FreeFileSync standard and {{\field{\*\fldinst{HYPERLINK "https://freefilesync.org/faq.php#donation-edition" }}{\fldrslt{\ul\cf1\cf2\ul Donation\~Edition}}}}\f0\fs22 are for \b private\~use\b0 only.\par..\b\fs11\par..\fs22 Commercial use\b0 requires buying\b \b0 the {{\field{\*\fldinst{HYPERLINK "https://freefilesync.org/faq.php#business" }}{\fldrslt{\ul\cf1\cf2\ul FreeFileSync\~Business\~Edition}}}}\f0\fs22 . This also applies to government organizations.\par....\pard\nowidctlpar\hyphpar0\qc _____________________________________________________________\par....\pard\nowidctlpar\hyphpar0\par..A. GNU General Public License\par..B. wxWidgets License\par

                                                                                                                                                    C:\Program Files\FreeFileSync\is-TKF44.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):676464
                                                                                                                                                    Entropy (8bit):6.18963251148129
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12288:e+LGHv4E3fx+XjXh0vdb514ocPAwYf7krBl:e+Lov42x+X6lb51+ifwrL
                                                                                                                                                    MD5:DD8779C4A9D2F47F3C9279F6F7786E69
                                                                                                                                                    SHA1:6E288BE940E0035DDD3240537EDEEE3991A665A4
                                                                                                                                                    SHA-256:919322547B2E2D19BED839B8889A204A3E34742648736E2114F565751FD32351
                                                                                                                                                    SHA-512:4D710A8D95C7CFFC786743E0DA26D5A1B7CB4C9407EDD789EFA390BB2BA4A1CE670E98484E75BEFBBAF3367CE81B007CD3395F9B4F8ED2900FA086CEA7C995EC
                                                                                                                                                    Malicious:false
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........|.c/.c/.c/..`..c/..f.C.c/..`...c/..g...c/..f...c/..g...c/..e..c/..b...c/.b/..c/o.j..c/o../.c/o.a..c/Rich.c/................PE..L.....Tg...............*.D...2......c........`....@.................................A.....@..................................}...........j...........*..p(...p...1...3..T....................3......P2..@............`..T............................text...jB.......D.................. ..`.rdata...,...`.......H..............@..@.data....e...........v..............@....rsrc....j.......l..................@..@.reloc...1...p...2..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FreeFileSync.lnk

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Thu Jan 2 11:14:58 2025, mtime=Thu Jan 2 11:15:01 2025, atime=Sat Dec 7 14:38:54 2024, length=676464, window=hide
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):1019
                                                                                                                                                    Entropy (8bit):4.440515523325746
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:24:8JUkmcdQenKP66UADccm3uEkdA5+OdAJulN5m:8qkmcdQend6jDcb3BkdA5+OdAYN5
                                                                                                                                                    MD5:42FEABA7D7FB241D48662063CBE768E9
                                                                                                                                                    SHA1:E9ED804E5F16055C48587CB26F3695292E90D999
                                                                                                                                                    SHA-256:D4C442B9FB065708F7A51898B6B64675E44A615E79B89884A155390F709B1DE4
                                                                                                                                                    SHA-512:8703BFCDE3D9D3C67FCCFEA9A3F1F8E957953D2B16348953B43B4D60E21542C3D732AD682B92954E4574EBBA2B465EDE5E1562BA43AB6D055E2CC62137CA95B0
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:L..................F.... ...6...]....s..].......H..pR...........................P.O. .:i.....+00.../C:\.....................1....."Z.a..PROGRA~1..t......O.I"Z.a....B...............J......=..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....b.1....."Z.a..FREEFI~1..J......"Z.a"Z.a.........................7'..F.r.e.e.F.i.l.e.S.y.n.c.....n.2.pR...Y.| .FREEFI~1.EXE..R......"Z.a"Z.a..............................F.r.e.e.F.i.l.e.S.y.n.c...e.x.e.......]...............-.......\...................C:\Program Files\FreeFileSync\FreeFileSync.exe..4.F.r.e.e.F.i.l.e.S.y.n.c. .. .F.o.l.d.e.r. .C.o.m.p.a.r.i.s.o.n. .a.n.d. .S.y.n.c.h.r.o.n.i.s.a.t.i.o.n.:.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.r.e.e.F.i.l.e.S.y.n.c.\.F.r.e.e.F.i.l.e.S.y.n.c...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.r.e.e.F.i.l.e.S.y.n.c.`.......X.......320946...........hT..CrF.f4... .. ............%..hT..CrF.f4... .. ............%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM.

                                                                                                                                                    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RealTimeSync.lnk

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Thu Jan 2 11:14:58 2025, mtime=Thu Jan 2 11:15:01 2025, atime=Sat Dec 7 14:38:48 2024, length=390256, window=hide
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):995
                                                                                                                                                    Entropy (8bit):4.504554638122623
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:24:80mcdQeVKPkUUADET6whkdAKe9MdAJuxm:80mcdQeVVUjDET6whkdAKUMdAw
                                                                                                                                                    MD5:B1AA19D16C8E193CC302CD39D69C93A3
                                                                                                                                                    SHA1:576FD7305060700A6CA924B94E98618FEAB908FC
                                                                                                                                                    SHA-256:796DD873644C319E79D68A94658427DA2453DC43C66862EAAEF2A8E08B4E50E3
                                                                                                                                                    SHA-512:A51EF8B8A2F7605E074DBAFBE1C8F1CBF29367FD29CE13A755E5FCC3C553466FC9A284A56903D07E7106D73ECE6576760DFB6F61A2EC39E4FAFC2C6238640D13
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:L..................F.... ........]..Faw..]...4...H..p............................P.O. .:i.....+00.../C:\.....................1....."Z.a..PROGRA~1..t......O.I"Z.a....B...............J......=..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....b.1....."Z.a..FREEFI~1..J......"Z.a"Z.a.........................7'..F.r.e.e.F.i.l.e.S.y.n.c.....n.2.p....Y.| .REALTI~1.EXE..R......"Z.a"Z.a.............................R.e.a.l.T.i.m.e.S.y.n.c...e.x.e.......]...............-.......\...................C:\Program Files\FreeFileSync\RealTimeSync.exe..(.R.e.a.l.T.i.m.e.S.y.n.c. .. .A.u.t.o.m.a.t.e.d. .S.y.n.c.h.r.o.n.i.s.a.t.i.o.n.:.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.r.e.e.F.i.l.e.S.y.n.c.\.R.e.a.l.T.i.m.e.S.y.n.c...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.r.e.e.F.i.l.e.S.y.n.c.`.......X.......320946...........hT..CrF.f4... .. ............%..hT..CrF.f4... .. ............%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                                                                    C:\Users\Public\Desktop\FreeFileSync.lnk

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Thu Jan 2 11:14:58 2025, mtime=Thu Jan 2 11:14:58 2025, atime=Sat Dec 7 14:38:54 2024, length=676464, window=hide
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):1007
                                                                                                                                                    Entropy (8bit):4.476964830351896
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:24:8MUpdqKP66UADccm3uEtodA5+OdAJulN5m:8Xpdqd6jDcb3BtodA5+OdAYN5
                                                                                                                                                    MD5:D459474DFCF9F385E9DDA0008DCA775C
                                                                                                                                                    SHA1:527442D2F164275D42B1E795BF2C0F56A11A67C1
                                                                                                                                                    SHA-256:E1C3CC5F6452BAEA97550AC20241B5813D57AEC33D05D48519F305DCFD3D1B37
                                                                                                                                                    SHA-512:936D12F91839F51F1B395B0B097E46AE8F57D501A9B0A0C6ED78E1B0FFCCBB006EAB9894F66781E13575704CF78226C59283CE732DF2FDF1A0C24B4E453DD3D3
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:L..................F.... ...6...].......].......H..pR...........................P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I"Z.a....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....b.1....."Z.a..FREEFI~1..J......"Z.a"Z.a.............................F.r.e.e.F.i.l.e.S.y.n.c.....n.2.pR...Y.| .FREEFI~1.EXE..R......"Z.a"Z.a..............................F.r.e.e.F.i.l.e.S.y.n.c...e.x.e.......]...............-.......\...................C:\Program Files\FreeFileSync\FreeFileSync.exe..4.F.r.e.e.F.i.l.e.S.y.n.c. .. .F.o.l.d.e.r. .C.o.m.p.a.r.i.s.o.n. .a.n.d. .S.y.n.c.h.r.o.n.i.s.a.t.i.o.n.4.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.r.e.e.F.i.l.e.S.y.n.c.\.F.r.e.e.F.i.l.e.S.y.n.c...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.r.e.e.F.i.l.e.S.y.n.c.`.......X.......320946...........hT..CrF.f4... .. ............%..hT..CrF.f4... .. ............%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?.........

                                                                                                                                                    C:\Users\Public\Desktop\RealTimeSync.lnk

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Thu Jan 2 11:14:58 2025, mtime=Thu Jan 2 11:14:58 2025, atime=Sat Dec 7 14:38:48 2024, length=390256, window=hide
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):983
                                                                                                                                                    Entropy (8bit):4.526058889329573
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:24:87mcdQeVKPkUUADET6whtodAKe9MdAJuxm:87mcdQeVVUjDET6whtodAKUMdAw
                                                                                                                                                    MD5:A2DF67EC2D8E01B388ED1740CB50D467
                                                                                                                                                    SHA1:E62AF34EFA8EDB04CE54A037DA647FE2A75A9C37
                                                                                                                                                    SHA-256:19E7D55056AD4DF21A2B6B46D504D62A15FB1C4B065A05A7EAEF877176E2FB25
                                                                                                                                                    SHA-512:C417A199913563A59D31112797A3E901E41E25F0F09DEFC5EF3061F46F3F38F08D7C01D13120F5F3BFEB94757ECA1AF270AD811512BA270FC2F1785A0E1BA2FB
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:L..................F.... ........]..>....]...4...H..p............................P.O. .:i.....+00.../C:\.....................1....."Z.a..PROGRA~1..t......O.I"Z.a....B...............J......=..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....b.1....."Z.a..FREEFI~1..J......"Z.a"Z.a.........................7'..F.r.e.e.F.i.l.e.S.y.n.c.....n.2.p....Y.| .REALTI~1.EXE..R......"Z.a"Z.a.............................R.e.a.l.T.i.m.e.S.y.n.c...e.x.e.......]...............-.......\...................C:\Program Files\FreeFileSync\RealTimeSync.exe..(.R.e.a.l.T.i.m.e.S.y.n.c. .. .A.u.t.o.m.a.t.e.d. .S.y.n.c.h.r.o.n.i.s.a.t.i.o.n.4.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.r.e.e.F.i.l.e.S.y.n.c.\.R.e.a.l.T.i.m.e.S.y.n.c...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.r.e.e.F.i.l.e.S.y.n.c.`.......X.......320946...........hT..CrF.f4... .. ............%..hT..CrF.f4... .. ............%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:modified
                                                                                                                                                    Size (bytes):20948
                                                                                                                                                    Entropy (8bit):5.614022883066066
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:384:PKz3GCtJdgE2Y06oVBM+XJC71veFWgTjkG6WQwiaVj/w8CPfoGhDGDZ:u9t7gE5QVy+XUFeX6vfaN/8fHhDGDZ
                                                                                                                                                    MD5:130463470AF919AF9D77F0A018E972E2
                                                                                                                                                    SHA1:3F6621A2FD05B12A2C007E90CB00A9A984EC0F69
                                                                                                                                                    SHA-256:D21CF1131EF252B2A0E24DBF8A1C247FCA3F4E03AE5C3FC8907DBC42DAAC3C44
                                                                                                                                                    SHA-512:9DCF63253AA7970F92A8C6A5E1554B0537F3D06416DD2170DB9274E00BFB68203464EEE3673FF1E1A26D5E8A32E2AAA6459015647F248FDDF872557E96298FB4
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:@...e.....................e.T.E...../.y..............@..........H...............o..b~.D.poM...L..... .Microsoft.PowerShell.ConsoleHostD...............4..7..D.#V.....6.......System.Management.Automation4...............<."..Ke@...j..........System.Core.0.................Vn.F..kLsw..........System..4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.|.....#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4..................~..2K..}...0".......System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...D....................+.H..!...e........System.Configuration.Ins

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5iiwn0z5.2pr.ps1

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):60
                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k1aibm1w.qqt.psm1

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):60
                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lvbvzdyd.zhs.ps1

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):60
                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_psvemjpi.0xi.psm1

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):60
                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\is-C4603.tmp\FreeFileSync.exe

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):676464
                                                                                                                                                    Entropy (8bit):6.18963251148129
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12288:e+LGHv4E3fx+XjXh0vdb514ocPAwYf7krBl:e+Lov42x+X6lb51+ifwrL
                                                                                                                                                    MD5:DD8779C4A9D2F47F3C9279F6F7786E69
                                                                                                                                                    SHA1:6E288BE940E0035DDD3240537EDEEE3991A665A4
                                                                                                                                                    SHA-256:919322547B2E2D19BED839B8889A204A3E34742648736E2114F565751FD32351
                                                                                                                                                    SHA-512:4D710A8D95C7CFFC786743E0DA26D5A1B7CB4C9407EDD789EFA390BB2BA4A1CE670E98484E75BEFBBAF3367CE81B007CD3395F9B4F8ED2900FA086CEA7C995EC
                                                                                                                                                    Malicious:false
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........|.c/.c/.c/..`..c/..f.C.c/..`...c/..g...c/..f...c/..g...c/..e..c/..b...c/.b/..c/o.j..c/o../.c/o.a..c/Rich.c/................PE..L.....Tg...............*.D...2......c........`....@.................................A.....@..................................}...........j...........*..p(...p...1...3..T....................3......P2..@............`..T............................text...jB.......D.................. ..`.rdata...,...`.......H..............@..@.data....e...........v..............@....rsrc....j.......l..................@..@.reloc...1...p...2..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\is-C4603.tmp\_isetup\_setup64.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):6144
                                                                                                                                                    Entropy (8bit):4.720366600008286
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                                                    MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                                                    SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                                                    SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                                                    SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                                                    Malicious:false
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\is-C4603.tmp\img_38.bmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-C4603.tmp\FreeFileSync.exe
                                                                                                                                                    File Type:PC bitmap, Windows 3.x format, 640 x 338 x 24, resolution 7800 x 7800 px/m, cbSize 649014, bits offset 54
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):649014
                                                                                                                                                    Entropy (8bit):6.87642960180676
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12288:ffkRMsYOK3+GZ8mBsnSsHIr40mE5gxJxRCNeN0HHx:fZ1snSsHIrbDeqx
                                                                                                                                                    MD5:F02176246062248EB5843803E5C8DB82
                                                                                                                                                    SHA1:F1C9422D2C97491337C81675AD2F2D1C47D878BC
                                                                                                                                                    SHA-256:1E605A29D846D793CCF51F2EC2AF461666F767FB411CB0E0191982FCA477DACA
                                                                                                                                                    SHA-512:1EBCD1F35E35414510E0FF73599053AA1C33958902B0E443F2EF4BCB73F0A12515E54964B55B596A71F6FF6786B72ACE29CBC1ABC6CA0601979E6703CC4028C3
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:BM6.......6...(.......R...............x...x...............0..2..5..7..:..>..A..D..E..H..K..N!.R".T$.V&.X(.Y).]*.a. c0 c0"e2%h5"g4#h5%h5&i6'j7'j7&k8&k8&k8&k8'j7'k6(l7)k7(j6(j6(j6(j6(j6(j7)k8)k8)k8)k8*k:*k:*k:)j9(i8*h8+i9+i9,j:,j:,j:,j<,j<,j<,j<,j<.l>.k?/i@.g@-f?,e>,e>,f=,g;,g;+f:,g;-h;-h;-i9-i9+j8+j8+j8+j8+j8)k7*l8*l8*m:-p=.s@/tA/tB0uC2wE4yG3wH0wE-vD,uC*uA+uA,vB.vA,vB.vB-uA,t@,t@-uA-uA0uB.vB.vB/wC/wC0xD0xD0xD0xD/wC0xD0wE/vD.uC-tB-tB-tB/tB/tB-tB-uA-uA-uA-u@-u@,t?-u@-u@+v@+v@+v@*u?*u?*t@*t@*t@,t?+s>+s>+s>+s>*s;*s;)r:*q9)p8(o7(o7'n6'n6'n6'n6'n6)m6)m6(l5(l5(l5'k4&j3$h3%g3&f2&d0'b/*b11e6:g<=iB<iB:iC<hC?hB>jC=kA9j>6j;1i8.i7-j8+j8+j8-l:.m;-l:,k9/l:2i:0g8/g6.f5/f5/f5/g6.i7,h8,h8,g:+f9+g7+g7)e5'b0$_-$_-%`.%`.'_.(_.'^-%],"]+!\*!\* [)!Y("Y("X)"X)"Y*#Z+"[.![+!\* [) [)!\*!\*"\,.\*!\* [)!Y(.Y'.Y'.X&.X&.Y'.Y'.Y%.X%.X% X'!X)"Y,#^,#^,$\+%\+#Z)!Y(.X&.W%.Q!.N..Q..S..Q..T .T..S..L..O..P..R..R..R..R..T .U".V#.Z$%c-.\&!_+&a/+f4/g64l;.g4,g41l93p>/k;G.SI.OCwGG{K2i80h50k81o99zC:xB3q;4u>8{D8{D9|E7x@,m54s;9x@8yB7

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\is-C4603.tmp\img_38.jpg

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:JPEG image data, JFIF standard 1.02, resolution (DPCM), density 78x78, segment length 16, progressive, precision 8, 640x338, components 3
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):43986
                                                                                                                                                    Entropy (8bit):7.9774801317201804
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:768:s8akP/txfqiYo1xhe+Y4Sp2jb12C6MVlYRvrcT75UZH/jviObXv0Gu00E0kLS:sdAlFqiPSc12CqyN2fjvigdg
                                                                                                                                                    MD5:48AA26969F9384BD81C4723EA00E99A7
                                                                                                                                                    SHA1:1732956BB71FB52C79A5DFCCB6223BC1FB9A36CE
                                                                                                                                                    SHA-256:30D9864AFB4E0545D54C4F06F983F179EE6907F272B2598DBDEC2B26A90E3911
                                                                                                                                                    SHA-512:C832DC627344C931A439018F13675D97925A59647AB4E84558507246926F2701583BB0C014800F0EA68B0421A8707CB244A730000FFA5435E399FE7883DE7D4E
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:......JFIF.....N.N.....C....................................................................C.......................................................................R..........................................................................................9..:.V..Q.F.;A.....Vg6#"#;8RP>jG....pC ..7%...BRX.b.0...Kl...`.......9...#....`.6,..%#H...e..O...!..y...Z..../]..R.n....I".+:b..eV.R8%.......G........$...A]............X....!...J.......,....6,$.I..5-.b.G...-.y};.9....k%...,.u.....$$..IEu*H@.AIy>.O.=..^..iE,..0.....!\.5.....`.....2.#.r$F..Q!.!..b.d...JM.2i.LH...........9F.E./)..4WEJ.-.a...#.,@%!R...}w>..D..+...e4.1.2..@ .`..lX,`.6..b8n..I...G#..C...b..3...$.#H.!...@...y...*.Qw..*.S7...K.Wi.n.8...F.%ZUyB/?..|...."I.....#..m..#<.8...H,`.6......i.9..A$JI9JQ....9..`.....$.(.h.."G..]0o/..T.Kx...M..Qi..>.[.."..00RU%Q.Py....[...V......G.Ac..kL..r....b.`4.0......H.!.%.(..(..@HC...,....Q$@I.R.........F..hc.9..T...u...V.0F..6..WK:g:&..{{5.M..'...TlMeK.?.q.......F.....#.....R.. .!

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):3414640
                                                                                                                                                    Entropy (8bit):6.589239930239391
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:49152:udJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQi333qFI:AJYVM+LtVt3P/KuG2ONG9iqLRQi333q
                                                                                                                                                    MD5:AFC70B74FF6456A1DB47AA6A5480A389
                                                                                                                                                    SHA1:DA7D29720A817A677DCC6AD09ACE07159D1013DA
                                                                                                                                                    SHA-256:A23438A6655F6F3AA29657497F82E841CF7B7A5E2FACC86A469F3DFBBE800CEF
                                                                                                                                                    SHA-512:05DAC7C5379D1E89D4E5FF1F0371B00769C64ACEE01AF0AC53821D5E1A38D3515DC689D76A9ABDC55D4EE43C68555A3A4A05B270E7E396A97376186BA9A3D368
                                                                                                                                                    Malicious:true
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*..,........*.......*...@...........................4.......4...@......@...................P,.n.....,.j:...P0.Ll............3.p(....,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc...Ll...P0..n..../.............@..@.............04......`3.............@..@................

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):3414640
                                                                                                                                                    Entropy (8bit):6.589239930239391
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:49152:udJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQi333qFI:AJYVM+LtVt3P/KuG2ONG9iqLRQi333q
                                                                                                                                                    MD5:AFC70B74FF6456A1DB47AA6A5480A389
                                                                                                                                                    SHA1:DA7D29720A817A677DCC6AD09ACE07159D1013DA
                                                                                                                                                    SHA-256:A23438A6655F6F3AA29657497F82E841CF7B7A5E2FACC86A469F3DFBBE800CEF
                                                                                                                                                    SHA-512:05DAC7C5379D1E89D4E5FF1F0371B00769C64ACEE01AF0AC53821D5E1A38D3515DC689D76A9ABDC55D4EE43C68555A3A4A05B270E7E396A97376186BA9A3D368
                                                                                                                                                    Malicious:false
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*..,........*.......*...@...........................4.......4...@......@...................P,.n.....,.j:...P0.Ll............3.p(....,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc...Ll...P0..n..../.............@..@.............04......`3.............@..@................

                                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\FreeFileSync.lnk

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Archive, ctime=Thu Jan 2 11:14:58 2025, mtime=Thu Jan 2 11:15:01 2025, atime=Sat Dec 7 14:38:54 2024, length=676464, window=hide
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):1049
                                                                                                                                                    Entropy (8bit):4.4231357732167
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:24:88UkmcdQenKP66UADccm3uEudA5+OdAjulN5m:8nkmcdQend6jDcb3BudA5+OdAaN5
                                                                                                                                                    MD5:C68DEAC9ABA0FFD73C5DEE645CC8BF65
                                                                                                                                                    SHA1:8EC77634C0C232F77E7FCC0BD0BACBEECCA13803
                                                                                                                                                    SHA-256:FF6A143D0CB903FB3A75F45FBFC5184DC9AC2701496B24FC143AE9DF688DAF83
                                                                                                                                                    SHA-512:92FBBC9A468091B2FEF188176D2EE931F3F5F0A85A2DE8B03425D6AB85E27F461E5303E6B76979DB408EA6F238C15F11B9077FC88659A6D7F57AF6086C98B8EB
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:L..................F.... ...6...]...Kx..].......H..pR...........................P.O. .:i.....+00.../C:\.....................1....."Z.a..PROGRA~1..t......O.I"Z.a....B...............J......=..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....b.1....."Z.a..FREEFI~1..J......"Z.a"Z.a.........................7'..F.r.e.e.F.i.l.e.S.y.n.c.....n.2.pR...Y.| .FREEFI~1.EXE..R......"Z.a"Z.a..............................F.r.e.e.F.i.l.e.S.y.n.c...e.x.e.......]...............-.......\...................C:\Program Files\FreeFileSync\FreeFileSync.exe..4.F.r.e.e.F.i.l.e.S.y.n.c. .. .F.o.l.d.e.r. .C.o.m.p.a.r.i.s.o.n. .a.n.d. .S.y.n.c.h.r.o.n.i.s.a.t.i.o.n.@.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.r.e.e.F.i.l.e.S.y.n.c.\.F.r.e.e.F.i.l.e.S.y.n.c...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.r.e.e.F.i.l.e.S.y.n.c...-.S.e.n.d.T.o. .`.......X.......320946...........hT..CrF.f4... .. ............%..hT..CrF.f4... .. ............%.E.......9...1SPS..mD..pH

                                                                                                                                                    C:\Windows\Logs\SIH\SIH.20250102.071440.062.1.etl

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\System32\SIHClient.exe
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):12288
                                                                                                                                                    Entropy (8bit):3.1599447870767547
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:192:FECxBlw0yh1C5h555ad5S45h57bb75I555Ea5XfHfx:FtxBlw0yh1iLjQSAL7vdwjE6XfHfx
                                                                                                                                                    MD5:F8AD3FDD628CE5DDCB7B3C90C83FFDEC
                                                                                                                                                    SHA1:37A5A05183664D452AC5FA069A9F8C276C421116
                                                                                                                                                    SHA-256:45B04E2E2D4D0C7E076B9D00D6AC9860393CEA34716068A8AA15A268A48B40F5
                                                                                                                                                    SHA-512:BAC013455519A85B11BC5D2C82699EC96512D7F181B9E9FFA48F03E39099B36B017C8FD8CC36F168CE389F6CBD1BA7BCCDA95F130B055AE9548017DB22AF510C
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:....P...P.......................................P...!....................................1J....................eJ.......K^..]..Zb....... ......................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1................................................................Y...........q...]..........S.I.H._.t.r.a.c.e._.l.o.g...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.S.I.H.\.S.I.H...2.0.2.5.0.1.0.2...0.7.1.4.4.0...0.6.2...1...e.t.l.......P.P..........1J....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMP41C2.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\System32\SIHClient.exe
                                                                                                                                                    File Type:Microsoft Cabinet archive data, single, 462 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 31944, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):17126
                                                                                                                                                    Entropy (8bit):7.3117215578334935
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:192:D5X8WyNHDHFzqDHt8AxL5TKG+tJSdqnajapCNjFZYECUqY7oX9qhnJSdqnaja2Sl:qDlsHq4ThPdlmY9CUiqOdlm2W
                                                                                                                                                    MD5:1B6460EE0273E97C251F7A67F49ACDB4
                                                                                                                                                    SHA1:4A3FDFBB1865C3DAED996BDB5C634AA5164ABBB8
                                                                                                                                                    SHA-256:3158032BAC1A6D278CCC2B7D91E2FBC9F01BEABF9C75D500A7F161E69F2C5F4A
                                                                                                                                                    SHA-512:3D256D8AC917C6733BAB7CC4537A17D37810EFD690BCA0FA361CF44583476121C9BCCCD9C53994AE05E9F9DFF94FFAD1BB30C0F7AFF6DF68F73411703E3DF88A
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:MSCF............D................|...............A..........d.......................environment.xml.....b...CK..ao.0...J...&.q...-..;+.6+-i.......7.....=....g.P.RQ.#..#...QQ..p.kk..qX..)...T.....zL#<.4......\k..f..,.Q...`..K7.hP..".E.53.V.DW.X).z.=`.COO 8..8.......!$.P!`00....E.m..l .)".J.vC..J..&...5.5(.a..!..MIM...*......z.;......t.<.o..|CR.3>..n.;8dX....:....N.....U.......J.I(vT..3...N....$.._^.A<....&=._(N....m.u.1}.....Ax.b8....q~.i..0.A...*.H........A.0.@....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...,..gK.........(...._`Oa..;%.010...`.H.e....... K...,.%@.b./.a...Q.:..E.7....V~....0...0..........3....!.G~&.9......0...*.H........0~1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1(0&..U....Microsoft Update Signing CA 2.20...190502214449Z..200502214449Z0o1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....Microsoft Update0.."0...*

                                                                                                                                                    C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\sls.cab

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\System32\SIHClient.exe
                                                                                                                                                    File Type:Microsoft Cabinet archive data, single, 7826 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 53283, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):24490
                                                                                                                                                    Entropy (8bit):7.629144636744632
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:384:iarwQcY8StpA7IQ6GCq30XPSIleI7lzCuqvfiSIleIx:iartHA7PCFP66Tqvfi6c
                                                                                                                                                    MD5:ACD24F781C0C8F48A0BD86A0E9F2A154
                                                                                                                                                    SHA1:93B2F4FBF96D15BE0766181AFACDB9FD9DD1B323
                                                                                                                                                    SHA-256:5C0A296B3574D170D69C90B092611646FE8991B8D103D412499DBE7BFDCCCC49
                                                                                                                                                    SHA-512:7B1D821CF1210947344FCF0F9C4927B42271669015DEA1C179B2BEAD9025941138C139C22C068CBD7219B853C80FA01A04E26790D8D76A38FB8BEBE20E0A2A4A
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:MSCF............D...............#................A..........d........B..............environment.cab.x.\&..BCK.\.T...N.....;LB.JW.. .w!....$*...U....."........ (.. E..........w...e.Jf.3gN.{...{V.M4.!.....hn. p(... .a...f..f..j.....Kh5..l.DB\}.=.0.>..X.....z..,'..LC/>....h.>.>.........,~mVI.....'EGD]^..\{....Q....f...4.F.....q..FF.1~...Q,.."g.qq.......}.....g%Zz.;m.9..z../2Jl.p8wGO......-V....FM......y*.....Hy.xy......N.r;.@uV........Xa...b].`..F...y.Wd.e.8.[Z.s7].....=B.$...'.|.-.sC....a_(..$..i.C.T.F}...]...m.R,y.1...'..j3.....ir..B..)sR.G.*..`-=.w....m..2y.....*o...\{..C.4.:ZM..wL-$.I.x:?.!.....:..W.%&.....J.%.....~....E..T.d.Q{..p..J..pY...P../.."rp....`...#w.....'.|n%Dy,.....i....."..x.....b._..\_.^.XOo..*:.&a.`..qA.?.@..t.R/...X3.nF.&........1Z.r.S...9x........?..aP..A...f..k:..\....L...t....Q...1..A..33A1.t..)...c....;......$.$..>._....A.!g`..t...b.H.L..&.....!......v~.n...uE.x...."5.h.4..B.R.d.4.%--.`.B..."..[....l......x(..5......@.zr....

                                                                                                                                                    C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMPD4BC.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\System32\SIHClient.exe
                                                                                                                                                    File Type:Microsoft Cabinet archive data, single, 858 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 12183, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):19826
                                                                                                                                                    Entropy (8bit):7.454351722487538
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:384:3j+naF6zsHqnltHNsAR9zCfsOCUPTNbZR9zOzD8K:z1F6JLts89zIdrFT9zwoK
                                                                                                                                                    MD5:455385A0D5098033A4C17F7B85593E6A
                                                                                                                                                    SHA1:E94CC93C84E9A3A99CAD3C2BD01BFD8829A3BCD6
                                                                                                                                                    SHA-256:2798430E34DF443265228B6F510FC0CFAC333100194289ED0488D1D62C5367A7
                                                                                                                                                    SHA-512:104FA2DAD10520D46EB537786868515683752665757824068383DC4B9C03121B79D9F519D8842878DB02C9630D1DFE2BBC6E4D7B08AFC820E813C250B735621A
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:MSCF....Z.......D................/..........Z....J..........d.......................environment.xml........CK....8.....w..=.9%T`.eu:.jn.E.8......m_.o?...5.K.{.3X3....^.{i..b......{.+.....y:..KW;;\..n.K=.]k..{.=..3......D$.&IQH.$-..8.r.{..HP.........g....^..~......e.f2^..N.`.B..o.t....z..3..[#..{S.m..w....<M...j..6.k.K.....~.SP.mx..;N.5..~\.[.!gP...9r@"82"%.B%..<2.c....vO..hB.Fi....{...;.}..f|..g.7..6..].7B..O..#d..]Ls.k..Le...2.*..&I.Q.,....0.\.-.#..L%.Z.G..K.tU.n...J..TM....4....~...:..2.X..p.d....&.Bj.P(.."..).s.d....W.=n8...n...rr..O._.yu...R..$....[...=H"K<.`.e...d.1.3.gk....M..<R......%1BX.[......X.....q......:...3..w....QN7. .qF..A......Q.p...*G...JtL...8sr.s.eQ.zD.u...s.....tjj.G.....Fo...f`Bb<.]k..e.b..,.....*.1.:-....K.......M..;....(,.W.V(^_.....9.,`|...9...>..R...2|.|5.r....n.y>wwU..5...0.J...*.H........J.0.I....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...>^..~a..e.D.V.C...

                                                                                                                                                    C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\sls.cab

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\System32\SIHClient.exe
                                                                                                                                                    File Type:Microsoft Cabinet archive data, single, 11149 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 18779, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):30005
                                                                                                                                                    Entropy (8bit):7.7369400192915085
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:768:ouCAyCeQ8fkZdfTGo/its89z8gjP69zA4:Aqf56z8HzT
                                                                                                                                                    MD5:4D7FE667BCB647FE9F2DA6FC8B95BDAE
                                                                                                                                                    SHA1:B4B20C75C9AC2AD00D131E387BCB839F6FAAABCA
                                                                                                                                                    SHA-256:BE273EA75322249FBF58C9CAD3C8DA5A70811837EF9064733E4F5FF1969D4078
                                                                                                                                                    SHA-512:DDB8569A5A5F9AD3CCB990B0A723B64CEE4D49FA6515A8E5C029C1B9E2801F59259A0FC401E27372C133952E4C4840521419EF75895260FA22DFF91E0BE09C02
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:MSCF.....+......D...............[I...........+...I..........d.......rM..............environment.cab...Q.!+rMCK.|.XT....CI7.....AR..$..C$D....RA:....T..........o...g...>.....s....z...>..<...J.R.A......%}..... 0............\...e.z...@..{..,./.:9:X8.s^q...>.(]...I)....'..v@....!.(.i.n.!.g.8\/.+X3.E.~.pi...Q...B...."Oj..~.:....M....uB.}..v.WR........tDD......D7..j..`..5..E.2.z..C....4.s....r..Y.:.|.mtg...S..b._.....!.~Kn..E.=...x.N..e.)....xz...p..h.;..xR'...U.}........nK.+.Y........p..r _.;?.m}$..*%&...8. 7..T....,7..F...e...kI.y...q....".W.W..[..gZQ.....W.$k.T"...N.*...5.R...,+...u.~VO...R-......H7..9........].K....]....tS~*.LSi....T....3+........k......i.J.y...,.Y|.N.t.LX.....zu..8......S*7..{y.m.....Ob.....^.S8Kn.i.._.c~.x.ce.A...t........S.......i1......V..S]H....$..J....E..j...4...o.$..).....;.n<.b.}.(.J.]...Q..u,.-.Bm.[z.j..-i.."...._v.......N..+...g..v..../...;G.Yw....0..u...z....J..K.E..s&..u.h3.]J.G............Z....=.N.X..

                                                                                                                                                    Static File Info

                                                                                                                                                    General

                                                                                                                                                    File type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                    Entropy (8bit):7.999991446350162
                                                                                                                                                    TrID:
                                                                                                                                                    • ZIP compressed archive (8000/1) 100.00%
                                                                                                                                                    File name:MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip
                                                                                                                                                    File size:20'159'091 bytes
                                                                                                                                                    MD5:040e4e96b3c71169e5706b579862bb8c
                                                                                                                                                    SHA1:f9da50db010b8704a5246d42d2cd1e898a244b3f
                                                                                                                                                    SHA256:03691405dc49eed57372ef1877d246c3464453aa26ed49966cae495bb5fb95dd
                                                                                                                                                    SHA512:526d650f6444b6f03fde557879c2a860acf61159763a0d2bc019b21c69c1412d85b2858713532669b0f1b1415011c190aa91ff3b49d2e3e3028bc727c23f8c14
                                                                                                                                                    SSDEEP:393216:pq2Kbit+X0V+++W+ibqcpc9dewoRy4suC/O0ZIfblBrDfpc6fn1v70Ry:82KsotZ+qcpc9d14S/O8ULDfC6KRy
                                                                                                                                                    TLSH:3E1733934920B26608090D86B5A51B0B8E7B7BDF6337CF10283589E315DD75BBF879AC
                                                                                                                                                    File Content Preview:PK........A_"Z...n..3...;.#.$.FreeFileSync_13.9_Windows_Setup.exe.. ..............].......].......]..*.,.......lY...U-]..s..Ur..[v...>-_N3.;../a.e...`.}.U..-.j.........."5,].........|.3Y...2eq..!...tH.Y...#.....GM<...s.>~..1-Dlh.#IoTa...m..c.u.8:....]1.9l

                                                                                                                                                    File Icon

                                                                                                                                                    Icon Hash:1c1c1e4e4ececedc

                                                                                                                                                    Network Behavior

                                                                                                                                                    Suricata IDS Alerts

                                                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                    2025-01-02T13:15:11.289949+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1649708104.21.2.160443TCP

                                                                                                                                                    Network Port Distribution

                                                                                                                                                    TCP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    Jan 2, 2025 13:15:10.818604946 CET49708443192.168.2.16104.21.2.160
                                                                                                                                                    Jan 2, 2025 13:15:10.818656921 CET44349708104.21.2.160192.168.2.16
                                                                                                                                                    Jan 2, 2025 13:15:10.818733931 CET49708443192.168.2.16104.21.2.160
                                                                                                                                                    Jan 2, 2025 13:15:10.820064068 CET49708443192.168.2.16104.21.2.160
                                                                                                                                                    Jan 2, 2025 13:15:10.820084095 CET44349708104.21.2.160192.168.2.16
                                                                                                                                                    Jan 2, 2025 13:15:11.289875984 CET44349708104.21.2.160192.168.2.16
                                                                                                                                                    Jan 2, 2025 13:15:11.289948940 CET49708443192.168.2.16104.21.2.160
                                                                                                                                                    Jan 2, 2025 13:15:11.293087959 CET49708443192.168.2.16104.21.2.160
                                                                                                                                                    Jan 2, 2025 13:15:11.293111086 CET44349708104.21.2.160192.168.2.16
                                                                                                                                                    Jan 2, 2025 13:15:11.293365955 CET44349708104.21.2.160192.168.2.16
                                                                                                                                                    Jan 2, 2025 13:15:11.337095976 CET49708443192.168.2.16104.21.2.160
                                                                                                                                                    Jan 2, 2025 13:15:11.337119102 CET49708443192.168.2.16104.21.2.160
                                                                                                                                                    Jan 2, 2025 13:15:11.337335110 CET44349708104.21.2.160192.168.2.16
                                                                                                                                                    Jan 2, 2025 13:15:11.514796972 CET44349708104.21.2.160192.168.2.16
                                                                                                                                                    Jan 2, 2025 13:15:11.514853954 CET44349708104.21.2.160192.168.2.16
                                                                                                                                                    Jan 2, 2025 13:15:11.515088081 CET49708443192.168.2.16104.21.2.160
                                                                                                                                                    Jan 2, 2025 13:15:11.515777111 CET49708443192.168.2.16104.21.2.160
                                                                                                                                                    Jan 2, 2025 13:15:11.515794039 CET44349708104.21.2.160192.168.2.16
                                                                                                                                                    Jan 2, 2025 13:15:11.515821934 CET49708443192.168.2.16104.21.2.160
                                                                                                                                                    Jan 2, 2025 13:15:11.515829086 CET44349708104.21.2.160192.168.2.16
                                                                                                                                                    Jan 2, 2025 13:15:17.474462032 CET49709443192.168.2.16104.21.2.160
                                                                                                                                                    Jan 2, 2025 13:15:17.474524975 CET44349709104.21.2.160192.168.2.16
                                                                                                                                                    Jan 2, 2025 13:15:17.474606037 CET49709443192.168.2.16104.21.2.160
                                                                                                                                                    Jan 2, 2025 13:15:17.477082014 CET49709443192.168.2.16104.21.2.160
                                                                                                                                                    Jan 2, 2025 13:15:17.477094889 CET44349709104.21.2.160192.168.2.16
                                                                                                                                                    Jan 2, 2025 13:15:17.931823015 CET44349709104.21.2.160192.168.2.16
                                                                                                                                                    Jan 2, 2025 13:15:17.931901932 CET49709443192.168.2.16104.21.2.160
                                                                                                                                                    Jan 2, 2025 13:15:17.940447092 CET49709443192.168.2.16104.21.2.160
                                                                                                                                                    Jan 2, 2025 13:15:17.940464973 CET44349709104.21.2.160192.168.2.16
                                                                                                                                                    Jan 2, 2025 13:15:17.940721989 CET44349709104.21.2.160192.168.2.16
                                                                                                                                                    Jan 2, 2025 13:15:17.940779924 CET49709443192.168.2.16104.21.2.160
                                                                                                                                                    Jan 2, 2025 13:15:17.942523956 CET49709443192.168.2.16104.21.2.160
                                                                                                                                                    Jan 2, 2025 13:15:17.983330965 CET44349709104.21.2.160192.168.2.16
                                                                                                                                                    Jan 2, 2025 13:15:18.129411936 CET44349709104.21.2.160192.168.2.16
                                                                                                                                                    Jan 2, 2025 13:15:18.129475117 CET44349709104.21.2.160192.168.2.16
                                                                                                                                                    Jan 2, 2025 13:15:18.129486084 CET49709443192.168.2.16104.21.2.160
                                                                                                                                                    Jan 2, 2025 13:15:18.129596949 CET49709443192.168.2.16104.21.2.160
                                                                                                                                                    Jan 2, 2025 13:15:18.129841089 CET49709443192.168.2.16104.21.2.160
                                                                                                                                                    Jan 2, 2025 13:15:18.129858017 CET44349709104.21.2.160192.168.2.16

                                                                                                                                                    UDP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    Jan 2, 2025 13:15:10.785703897 CET6277953192.168.2.161.1.1.1
                                                                                                                                                    Jan 2, 2025 13:15:10.810632944 CET53627791.1.1.1192.168.2.16

                                                                                                                                                    DNS Queries

                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                    Jan 2, 2025 13:15:10.785703897 CET192.168.2.161.1.1.10x1975Standard query (0)api.freefilesync.orgA (IP address)IN (0x0001)false

                                                                                                                                                    DNS Answers

                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                    Jan 2, 2025 13:15:10.810632944 CET1.1.1.1192.168.2.160x1975No error (0)api.freefilesync.org104.21.2.160A (IP address)IN (0x0001)false
                                                                                                                                                    Jan 2, 2025 13:15:10.810632944 CET1.1.1.1192.168.2.160x1975No error (0)api.freefilesync.org172.67.129.95A (IP address)IN (0x0001)false

                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                    • api.freefilesync.org

                                                                                                                                                    HTTPS Proxied Packets

                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                    0192.168.2.1649708104.21.2.1604433680C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                    2025-01-02 12:15:11 UTC212OUTPOST /new_installation HTTP/1.1
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
                                                                                                                                                    Accept: */*
                                                                                                                                                    User-Agent: FFS-Installer
                                                                                                                                                    Content-Length: 180
                                                                                                                                                    Host: api.freefilesync.org
                                                                                                                                                    2025-01-02 12:15:11 UTC180OUTData Raw: 66 66 73 5f 76 65 72 73 69 6f 6e 3d 31 33 2e 39 26 6f 73 5f 6e 61 6d 65 3d 57 69 6e 64 6f 77 73 26 69 6e 73 74 61 6c 6c 61 74 69 6f 6e 5f 74 79 70 65 3d 4c 6f 63 61 6c 26 6f 73 5f 76 65 72 73 69 6f 6e 3d 31 30 2e 30 26 6f 73 5f 61 72 63 68 3d 36 34 26 6c 61 6e 67 75 61 67 65 3d 65 6e 26 63 6f 75 6e 74 72 79 3d 43 48 26 69 6e 73 74 61 6c 6c 65 72 5f 74 79 70 65 3d 41 64 2d 46 72 65 65 26 69 6e 73 74 61 6c 6c 65 72 5f 63 6f 6d 70 69 6c 65 72 3d 49 6e 6e 6f 26 73 74 61 74 75 73 3d 43 6f 6d 70 6c 65 74 65 64 26 73 69 6c 65 6e 74 3d 4e 6f
                                                                                                                                                    Data Ascii: ffs_version=13.9&os_name=Windows&installation_type=Local&os_version=10.0&os_arch=64&language=en&country=CH&installer_type=Ad-Free&installer_compiler=Inno&status=Completed&silent=No
                                                                                                                                                    2025-01-02 12:15:11 UTC1102INHTTP/1.1 200 OK
                                                                                                                                                    Date: Thu, 02 Jan 2025 12:15:11 GMT
                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                    Connection: close
                                                                                                                                                    x-robots-tag: noindex
                                                                                                                                                    x-content-type-options: nosniff
                                                                                                                                                    vary: User-Agent
                                                                                                                                                    Cache-Control: max-age=3600, public
                                                                                                                                                    strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                    referrer-policy: no-referrer-when-downgrade
                                                                                                                                                    x-frame-options: DENY
                                                                                                                                                    content-security-policy: frame-ancestors 'none';
                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rqr7kMiwa7Dw6MP2pQC%2FaUrlB7StxaAOxNbXRmniRkQyE6QHjZN%2B2561ngEtUlZzA%2B7Jdg3TCoJHnOVUbCmtfNlC7ZMHXCOsmEs6YNBilJZV9vAjkHQAw0MNz%2BX6cRjJfUna8yitLA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                    Server: cloudflare
                                                                                                                                                    CF-RAY: 8fbaac502ca14399-EWR
                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=2090&min_rtt=2064&rtt_var=792&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2840&recv_bytes=1028&delivery_rate=1414728&cwnd=222&unsent_bytes=0&cid=eccedcf3863354b9&ts=236&x=0"
                                                                                                                                                    2025-01-02 12:15:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                    Data Ascii: 0


                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                    1192.168.2.1649709104.21.2.1604436176C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe
                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                    2025-01-02 12:15:17 UTC231OUTPOST /latest_version HTTP/1.1
                                                                                                                                                    Accept: */*
                                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                    User-Agent: FFS-Update-Check
                                                                                                                                                    Host: api.freefilesync.org
                                                                                                                                                    Content-Length: 157
                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                    2025-01-02 12:15:17 UTC157OUTData Raw: 66 66 73 5f 76 65 72 73 69 6f 6e 3d 31 33 2e 39 26 69 6e 73 74 61 6c 6c 61 74 69 6f 6e 5f 74 79 70 65 3d 4c 6f 63 61 6c 4d 61 63 68 69 6e 65 26 66 66 73 5f 76 61 72 69 61 6e 74 3d 46 72 65 65 26 6f 73 5f 6e 61 6d 65 3d 57 69 6e 64 6f 77 73 26 6f 73 5f 76 65 72 73 69 6f 6e 3d 31 30 2e 30 26 6f 73 5f 61 72 63 68 3d 36 34 26 64 69 70 5f 73 63 61 6c 65 3d 31 26 66 66 73 5f 6c 61 6e 67 3d 65 6e 5f 47 42 26 6c 61 6e 67 75 61 67 65 3d 65 6e 26 63 6f 75 6e 74 72 79 3d 43 48
                                                                                                                                                    Data Ascii: ffs_version=13.9&installation_type=LocalMachine&ffs_variant=Free&os_name=Windows&os_version=10.0&os_arch=64&dip_scale=1&ffs_lang=en_GB&language=en&country=CH
                                                                                                                                                    2025-01-02 12:15:18 UTC1097INHTTP/1.1 200 OK
                                                                                                                                                    Date: Thu, 02 Jan 2025 12:15:18 GMT
                                                                                                                                                    Content-Type: application/octet-stream
                                                                                                                                                    Content-Length: 4
                                                                                                                                                    Connection: close
                                                                                                                                                    x-robots-tag: noindex
                                                                                                                                                    x-content-type-options: nosniff
                                                                                                                                                    vary: User-Agent
                                                                                                                                                    Cache-Control: max-age=3600, public
                                                                                                                                                    strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                    referrer-policy: no-referrer-when-downgrade
                                                                                                                                                    x-frame-options: DENY
                                                                                                                                                    content-security-policy: frame-ancestors 'none';
                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9Gi5oiBCURL0EeZGQ9k7y%2F%2BcbPP8CTJ5GvR2BcmCe9D33PjpW9Wu1d30jI8N%2BhdxXX7Zeh17kH1eWWVweh5t%2F1SlSJC%2FjiHA%2Fj3HycPh7aqjyII3aEMTT9xrLhYQG8yPr7FdIJ9U4g%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                    Server: cloudflare
                                                                                                                                                    CF-RAY: 8fbaac7989b241df-EWR
                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1708&min_rtt=1698&rtt_var=657&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2840&recv_bytes=1016&delivery_rate=1641371&cwnd=252&unsent_bytes=0&cid=8c5174ed4af969e2&ts=203&x=0"
                                                                                                                                                    2025-01-02 12:15:18 UTC4INData Raw: 31 33 2e 39
                                                                                                                                                    Data Ascii: 13.9


                                                                                                                                                    Statistics

                                                                                                                                                    CPU Usage

                                                                                                                                                    Click to jump to process

                                                                                                                                                    Memory Usage

                                                                                                                                                    Click to jump to process

                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                    Behavior

                                                                                                                                                    Click to jump to process

                                                                                                                                                    System Behavior

                                                                                                                                                    General

                                                                                                                                                    Target ID:0
                                                                                                                                                    Start time:07:14:33
                                                                                                                                                    Start date:02/01/2025
                                                                                                                                                    Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                                                                                    Imagebase:0x7ff69dcc0000
                                                                                                                                                    File size:71'680 bytes
                                                                                                                                                    MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:3
                                                                                                                                                    Start time:07:14:40
                                                                                                                                                    Start date:02/01/2025
                                                                                                                                                    Path:C:\Windows\System32\SIHClient.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\System32\sihclient.exe /cv dJzNCxikgEKhZUcQhpdb9w.0.2
                                                                                                                                                    Imagebase:0x7ff7796b0000
                                                                                                                                                    File size:380'720 bytes
                                                                                                                                                    MD5 hash:8BE47315BF30475EEECE8E39599E9273
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:moderate
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:9
                                                                                                                                                    Start time:07:14:44
                                                                                                                                                    Start date:02/01/2025
                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe"
                                                                                                                                                    Imagebase:0xc70000
                                                                                                                                                    File size:20'692'472 bytes
                                                                                                                                                    MD5 hash:954CEE0E02BAC777F4DB7A05EE8BDA65
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:Borland Delphi
                                                                                                                                                    Reputation:low
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:10
                                                                                                                                                    Start time:07:14:45
                                                                                                                                                    Start date:02/01/2025
                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\is-L5AS6.tmp\FreeFileSync_13.9_Windows_Setup.tmp" /SL5="$70274,19508176,913920,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe"
                                                                                                                                                    Imagebase:0x370000
                                                                                                                                                    File size:3'414'640 bytes
                                                                                                                                                    MD5 hash:AFC70B74FF6456A1DB47AA6A5480A389
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:Borland Delphi
                                                                                                                                                    Antivirus matches:
                                                                                                                                                    • Detection: 0%, ReversingLabs
                                                                                                                                                    Reputation:low
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:13
                                                                                                                                                    Start time:07:14:45
                                                                                                                                                    Start date:02/01/2025
                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe" /SPAWNWND=$402E4 /NOTIFYWND=$70274
                                                                                                                                                    Imagebase:0xc70000
                                                                                                                                                    File size:20'692'472 bytes
                                                                                                                                                    MD5 hash:954CEE0E02BAC777F4DB7A05EE8BDA65
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:Borland Delphi
                                                                                                                                                    Reputation:low
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:14
                                                                                                                                                    Start time:07:14:46
                                                                                                                                                    Start date:02/01/2025
                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\is-KLLAB.tmp\FreeFileSync_13.9_Windows_Setup.tmp" /SL5="$60232,19508176,913920,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe" /SPAWNWND=$402E4 /NOTIFYWND=$70274
                                                                                                                                                    Imagebase:0x840000
                                                                                                                                                    File size:3'414'640 bytes
                                                                                                                                                    MD5 hash:AFC70B74FF6456A1DB47AA6A5480A389
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:Borland Delphi
                                                                                                                                                    Antivirus matches:
                                                                                                                                                    • Detection: 0%, ReversingLabs
                                                                                                                                                    Reputation:low
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:15
                                                                                                                                                    Start time:07:14:46
                                                                                                                                                    Start date:02/01/2025
                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\is-C4603.tmp\FreeFileSync.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\is-C4603.tmp\FreeFileSync.exe" ffs_setup_convert_jpg_to_bmp "C:\Users\user\AppData\Local\Temp\is-C4603.tmp\img_38.jpg"
                                                                                                                                                    Imagebase:0xc50000
                                                                                                                                                    File size:676'464 bytes
                                                                                                                                                    MD5 hash:DD8779C4A9D2F47F3C9279F6F7786E69
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Antivirus matches:
                                                                                                                                                    • Detection: 0%, ReversingLabs
                                                                                                                                                    Reputation:low
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:16
                                                                                                                                                    Start time:07:15:01
                                                                                                                                                    Start date:02/01/2025
                                                                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess 'C:\Program Files\FreeFileSync\Bin\*'"
                                                                                                                                                    Imagebase:0x980000
                                                                                                                                                    File size:433'152 bytes
                                                                                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:17
                                                                                                                                                    Start time:07:15:01
                                                                                                                                                    Start date:02/01/2025
                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:18
                                                                                                                                                    Start time:07:15:01
                                                                                                                                                    Start date:02/01/2025
                                                                                                                                                    Path:C:\Program Files\FreeFileSync\FreeFileSync.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Program Files\FreeFileSync\FreeFileSync.exe" ffs_setup_finalize
                                                                                                                                                    Imagebase:0x550000
                                                                                                                                                    File size:676'464 bytes
                                                                                                                                                    MD5 hash:DD8779C4A9D2F47F3C9279F6F7786E69
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:low
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:19
                                                                                                                                                    Start time:07:15:01
                                                                                                                                                    Start date:02/01/2025
                                                                                                                                                    Path:C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:"C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe" ffs_setup_finalize
                                                                                                                                                    Imagebase:0x7ff70bd00000
                                                                                                                                                    File size:17'732'208 bytes
                                                                                                                                                    MD5 hash:9C31F370631A40917DF397F40C0772DB
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:21
                                                                                                                                                    Start time:07:15:03
                                                                                                                                                    Start date:02/01/2025
                                                                                                                                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                    Imagebase:0x7ff6d4dc0000
                                                                                                                                                    File size:496'640 bytes
                                                                                                                                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Has exited:false

                                                                                                                                                    General

                                                                                                                                                    Target ID:22
                                                                                                                                                    Start time:07:15:13
                                                                                                                                                    Start date:02/01/2025
                                                                                                                                                    Path:C:\Program Files\FreeFileSync\FreeFileSync.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Program Files\FreeFileSync\FreeFileSync.exe"
                                                                                                                                                    Imagebase:0x550000
                                                                                                                                                    File size:676'464 bytes
                                                                                                                                                    MD5 hash:DD8779C4A9D2F47F3C9279F6F7786E69
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Has exited:false

                                                                                                                                                    General

                                                                                                                                                    Target ID:23
                                                                                                                                                    Start time:07:15:13
                                                                                                                                                    Start date:02/01/2025
                                                                                                                                                    Path:C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:"C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe"
                                                                                                                                                    Imagebase:0x7ff70bd00000
                                                                                                                                                    File size:17'732'208 bytes
                                                                                                                                                    MD5 hash:9C31F370631A40917DF397F40C0772DB
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Has exited:false

                                                                                                                                                    Disassembly

                                                                                                                                                    No disassembly