Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	756299
MD5:	2816bacd01b0d8c48f1d8714c6aa6f0f
SHA1:	474ae88d9cf093dcb9789cb7b79513e0dbd38388
SHA256:	637720ba1437fd6dea873e56a6a1d7bb3c663e490abc4e406e3817dd2eb82c4f
Tags:	exe
Infos:

Detection

BrowserHistorySpy Tool, Quasar

Score:	38
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Compliance

Score:	50
Range:	0 - 100

Signatures

Malicious sample detected (through community Yara rule)

Yara detected Quasar RAT

Query firmware table information (likely to detect VMs)

Changes security center settings (notifications, updates, antivirus, firewall)

May drop file containing decryption instructions (likely related to ransomware)

Writes many files with high entropy

Yara detected BrowserHistorySpy Tool by SecurityXploded

Uses 32bit PE files

Creates files inside the driver directory

Queries the volume information (name, serial number etc) of a device

Yara signature match

Drops PE files to the application program directory (C:\ProgramData)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Detected potential crypto function

Stores large binary data to the registry

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Enables debug privileges

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

OS version to string mapping found (often used in BOTs)

Enables driver privileges

Drops PE files

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Creates driver files

Contains capabilities to detect virtual machines

Enables security privileges

Registers a DLL

Creates or modifies windows services

Queries disk information (often used to detect virtual machines)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

System is w10x64

file.exe (PID: 5244 cmdline: C:\Users\user\Desktop\file.exe MD5: 2816BACD01B0D8C48F1D8714C6AA6F0F)

sc.exe (PID: 680 cmdline: C:\Windows\System32\sc.exe create EsgShKernel start= demand binPath= "\"C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe\"" DisplayName= "SpyHunter 5 Kernel" MD5: D79784553A9410D15E04766AAAB77CD6)

conhost.exe (PID: 5508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 5640 cmdline: C:\Windows\System32\sc.exe description EsgShKernel "SpyHunter 5 Kernel" MD5: D79784553A9410D15E04766AAAB77CD6)

conhost.exe (PID: 4080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 5744 cmdline: C:\Windows\System32\sc.exe create ShMonitor start= demand binPath= "\"C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe\"" DisplayName= "SpyHunter 5 Kernel Monitor" MD5: D79784553A9410D15E04766AAAB77CD6)

conhost.exe (PID: 5752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 5852 cmdline: C:\Windows\System32\sc.exe description ShMonitor "SpyHunter 5 Kernel Monitor" MD5: D79784553A9410D15E04766AAAB77CD6)

conhost.exe (PID: 5784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 1788 cmdline: C:\Windows\System32\sc.exe config ShMonitor start= auto MD5: D79784553A9410D15E04766AAAB77CD6)

conhost.exe (PID: 6140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 6020 cmdline: C:\Windows\System32\sc.exe config EsgShKernel start= auto MD5: D79784553A9410D15E04766AAAB77CD6)

conhost.exe (PID: 6060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

regsvr32.exe (PID: 2108 cmdline: C:\Windows\System32\regsvr32.exe /s "C:\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll" MD5: D78B75FC68247E8A63ACBA846182740E)

EsgInstallerDelay__0.exe (PID: 64 cmdline: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe -exec OpfXySN2sIJfRn7kaByo3fAgnhU5bFC+1YK5gktB214= -args MHLPvv2eVF5BDDAj57kaKhLlRzVl3TCPBu81sCtfDvA= -wait 300 MD5: EDCE372DE488AA221DA7DB7544C09B3E)

conhost.exe (PID: 1332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 5312 cmdline: C:\Windows\System32\sc.exe start EsgShKernel -tt_on MD5: D79784553A9410D15E04766AAAB77CD6)

EsgInstallerDelay__1.exe (PID: 2348 cmdline: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe -exec OpfXySN2sIJfRn7kaByo3fAgnhU5bFC+1YK5gktB214= -args hOGTiE/QHFPjrWqL1njGygtJtFEVLgswO/2BlkHQX4U= -wait 300 MD5: EDCE372DE488AA221DA7DB7544C09B3E)

conhost.exe (PID: 3624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 5100 cmdline: C:\Windows\System32\sc.exe start ShMonitor MD5: D79784553A9410D15E04766AAAB77CD6)

svchost.exe (PID: 5288 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1556 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 684 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5540 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1360 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 3384 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 868 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 3460 cmdline: c:\windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2080 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 2364 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 2680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

ShKernel.exe (PID: 5400 cmdline: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe MD5: F2F6BF33561C9EF8FE3310D46A3C8A25)

SpyHunter5.exe (PID: 5688 cmdline: "C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe" /hide MD5: 096FA37EA53BB15959E9EEF9FD3F2745)

ShMonitor.exe (PID: 4792 cmdline: C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe MD5: F9FA9D3B5957F0C365A20DE5C71EC214)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0xd946f8:$pwsh: powershell 0xd35b48:$s2: User-Agent: 0x10069f8:$s4: LdrLoadDll 0xc35367:$v6: start 0xc3d08b:$v6: start 0xc468ae:$v6: start 0xc468c6:$v6: start 0xc63dac:$v6: start 0xc653d0:$v6: start 0xc6c3d7:$v6: start 0xc6c417:$v6: start 0xc6c457:$v6: start 0xc6ca7c:$v6: start 0xc6e627:$v6: start 0xc9b9fc:$v6: start 0xc9ba30:$v6: start 0xc9bc43:$v6: start 0xc9bc72:$v6: start 0xca2efc:$v6: start 0xca2f30:$v6: start 0xca30d9:$v6: start

Memory Dumps

Source	Rule	Description	Author	Strings
0000001C.00000002.583150850.000001D380AA5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000001C.00000003.422519867.000001D3F58C0000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x16da4:$x1: AsyncRAT 0x1af72:$x1: AsyncRAT
0000001C.00000003.422727533.000001D3F4225000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x16d24:$x1: AsyncRAT 0x1aef2:$x1: AsyncRAT
0000001C.00000003.422306773.000001D3F5841000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x15d2c:$x1: AsyncRAT 0x19efa:$x1: AsyncRAT
0000001C.00000003.478164990.000001D3F34BE000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x435f7:$x1: AsyncRAT 0x4372c:$x1: AsyncRAT 0x43786:$x1: AsyncRAT 0x437fb:$x1: AsyncRAT
0000001C.00000003.509274290.000001D3F5D31000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BrowserHistorySpy	Yara detected BrowserHistorySpy Tool by SecurityXploded	Joe Security
Click to see the 1 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Yara detected Quasar RAT

Source: Yara match

File source: 0000001C.00000002.583150850.000001D380AA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Cryptography

Source: file.exe, 00000000.00000000.256693561.00000000011B8000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Compliance

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Creates license or readme file

Source: C:\Users\user\Desktop\file.exe

File created: C:\Program Files\EnigmaSoft\SpyHunter\license.txt

Jump to behavior

Creates a directory in C:\Program Files

Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\purl.dat	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Native.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\license.txt	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\English.lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Albanian.lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Bulgarian.lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Chinese (Simplified).lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Chinese (Traditional).lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Croatian.lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Czech.lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Danish.lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Dutch.lng	Jump to behavior
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Logs\20221130_001537.krn.log
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat-journal
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat-journal
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat-journal
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat-journal
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat-journal
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Data\rh
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Temp
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Logs
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Logs\ShMonitor.log

Creates install or setup log file

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\esg_setup.log

Jump to behavior

PE / OLE file has a valid certificate

Source: file.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: c:\Users\sd\Documents\SharpDevelop Projects\BackdoorNominatus\BackdoorNominatus - BLUE BUG\obj\Debug\BackdoorNominatus - BLUE BUG.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\GIT\esginstaller\_Builds\Release\win32\DelayStart-x64.pdb source: EsgInstallerDelay__0.exe, 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmp, EsgInstallerDelay__0.exe, 00000017.00000000.389009144.00007FF698130000.00000002.00000001.01000000.0000000A.sdmp, EsgInstallerDelay__1.exe, 00000019.00000000.390176462.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmp, EsgInstallerDelay__1.exe, 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: \Random Roblox Shit\MassRobloxAssetStealer\Mass-Roblox-asset-scraper-dumper\MassRobloxAssetStealer\obj\Debug\MassRobloxAssetStealer.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\bamboo-agent-home\xml-data\build-dir\SH5-S5P-JOB1\sh5\builds\Release-x64\ShMonitor.pdb source: file.exe, 00000000.00000003.310467481.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.309938161.00000000045E2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\bamboo-agent-home\xml-data\build-dir\SH5-S5P-JOB1\sh5\builds\Release-x64\ShKernel.pdb source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: ogger.pdbgE source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\bamboo-agent-home\xml-data\build-dir\SH5-S5P-JOB1\sh5\builds\Release-x64\ShMonitor.pdb\ source: file.exe, 00000000.00000003.310467481.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.309938161.00000000045E2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\abc\Release\gerjjkrkjjk33.pdb2617365"<" source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Random Roblox Shit\MassRobloxAssetStealer\Mass-Roblox-asset-scraper-dumper\MassRobloxAssetStealer\obj\Debug\MassRobloxAssetStealer.pdbD source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Azan\onedrive\documents\visual studio 2010\Projects\Project Scorpion\Project Scorpion\obj\x86\Release\Project Scorpion.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Sources\spyhunter5\Drivers\builds\Release-ARM64\EnigmaFileMonDriver.pdb source: file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdb50CFp1 source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Z7 /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -D_USING_V110_SDK71_ source: file.exe, 00000000.00000000.256693561.00000000011B8000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Users\stefan.joerg\Nextcloud3\_Programmierung\SanboxTestingTool\AdvancedKEYLogger\AdvancedKEYLogger\obj\Debug\AdvancedKEYLogger.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: $C:\abc\Release\gerjjkrkjjk33.pdb2617365"<" source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 0@.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Z7 /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: s.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: $\\Wta..[3243ujwew]\\\kY0VNfo.pdb00448974 source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ^Allpcoptimizer\.pdb$F source: ShKernel.exe, 0000001C.00000002.583150850.000001D380AA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: o.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ~E:\Demo\dWwwang-SiMayRemoteMonitorOS-master\SiMayRemoteMonitorOS\SiMay.RemoteClient.NewCore\obj\Debug\SiMayServiceCore.pdb7eCG source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Azan\onedrive\documents\visual studio 2010\Projects\Project Scorpion\Project Scorpion\obj\x86\Release\Project Scorpion.pdbaG source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Trainer Creator\C++ and C#\Trainer MotoGP 22 Framework without virus\ArmYofOneEngine\obj\Release\MotoGP 22 v1.0.0.0 +17 Options.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ogger.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\GIT\esginstaller\_Builds\Release\Win32\Installer.pdb source: file.exe, 00000000.00000000.256693561.00000000011B8000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: ^Allpcoptimizer\.pdb$ source: ShKernel.exe, 0000001C.00000002.583150850.000001D380AA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: type_idOTHERNAMEnameAssignerpartyNameEDIPARTYNAMEd.otherNamed.rfc822Named.dNSNamed.x400Addressd.directoryNamed.ediPartyNamed.uniformResourceIdentifierd.iPAddressd.registeredIDGENERAL_NAMEGeneralNamesGENERAL_NAMESCERTIFICATEcrypto\x509\x509name.cname=compiler: cl /Z7 /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -D_USING_V110_SDK71_crypto\dh\dh_lib.c%*s<EMPTY> source: file.exe, 00000000.00000000.256693561.00000000011B8000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\nativeapp\objfre_wnet_amd64\amd64\Native.pdb source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \x64\Release\HotCoffeeRansomware.pdb9"}]h1 source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: (bo.pdbg source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: type_idOTHERNAMEnameAssignerpartyNameEDIPARTYNAMEd.otherNamed.rfc822Named.dNSNamed.x400Addressd.directoryNamed.ediPartyNamed.uniformResourceIdentifierd.iPAddressd.registeredIDGENERAL_NAMEGeneralNamesGENERAL_NAMESCERTIFICATEcrypto\x509\x509name.cname=compiler: cl /Z7 /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMcrypto\dh\dh_lib.c%*s<EMPTY> source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\Sources\spyhunter5\Drivers\builds\Release-ARM64\EnigmaFileMonDriver.pdbGCTL source: file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: oella.exe.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Sources\spyhunter5\Drivers\builds\Release-x64\EnigmaFileMonDriver.pdb source: file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: & 7D08s.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Vegard\Documents\Visual Studio 2017\Projects\VirtualUIPro (CRYPTORIUM RANSOMWARE)\VirtualUIPro\obj\Debug\VirtualUIPro.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Demo\dWwwang-SiMayRemoteMonitorOS-master\SiMayRemoteMonitorOS\SiMay.RemoteClient.NewCore\obj\Debug\SiMayServiceCore.pdb7e source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\Administrador\mis documentos\visual studio 2010\Projects\Fortnite\Fortnite\obj\x86\Debug\Naccarella.exe.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\Wta..[3243ujwew]\\\kY0VNfo.pdb00448974 source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: (\x64\Release\HotCoffeeRansomware.pdb9"}]h1 source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EHW###%@$WHRENBRWHrjhss.pdbgs": 8454290, source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp

Networking

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 89.187.165.194 89.187.165.194

Source: file.exe, 00000000.00000003.260864313.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260814598.00000000034E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: file.exe, 00000000.00000003.263798085.0000000003539000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263224740.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260864313.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260814598.00000000034E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe, 00000000.00000003.263798085.0000000003539000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263224740.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260864313.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260814598.00000000034E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: file.exe, 00000000.00000003.263224740.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260864313.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260814598.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263831490.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: file.exe, 00000000.00000003.263335717.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263877291.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263349882.000000000351B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272462882.00000000044D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268462477.0000000003544000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268789699.0000000003544000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268824243.00000000044DC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263265975.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268270654.0000000003544000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260831747.00000000034D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263902497.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.262407166.0000000003519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307318434.0000000003542000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265568181.00000000044DC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264927055.00000000044F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.262488006.00000000034DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264347122.00000000035BA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272829020.0000000003527000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.309639531.000000000454A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269778409.00000000044DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: file.exe, 00000000.00000003.263877291.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl7
Source: file.exe, 00000000.00000003.263877291.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl
Source: file.exe, 00000000.00000003.263798085.0000000003539000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263224740.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260864313.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260814598.00000000034E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: file.exe, 00000000.00000003.263877291.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crlQ
Source: file.exe, 00000000.00000003.260864313.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260814598.00000000034E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl
Source: file.exe, 00000000.00000003.263224740.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260864313.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260814598.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263633202.0000000003548000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: file.exe, 00000000.00000003.263224740.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260864313.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260814598.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263633202.0000000003548000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmas
Source: file.exe, 00000000.00000003.262458403.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/log_collect.cfg
Source: file.exe, 00000000.00000003.262458403.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/log_collect.cfgH
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266193979.0000000004501000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268574609.00000000044F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268091368.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265545201.00000000044D3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269812711.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268810091.00000000044D5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265243613.00000000035BA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272484826.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/
Source: file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_acpdata.dat.ecf
Source: file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_acpdata.dat.ecf--
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_acpdata.dat.ecf6
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_acpwl.dat.ecf
Source: file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_acpwl.dat.ecf/msv0t8
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265568181.00000000044DC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_albanian.lng.ecf
Source: file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_bulgarian.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_chinese_(simplified).lng.ecf
Source: file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_chinese_(traditional).lng
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_chinese_(traditional).lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_croatian.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_czech.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_danish.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_dutch.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_english.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_finnish.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_french.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_german.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_greek.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_hungarian.lng.ecf
Source: file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_hungarian.lng.ecf8
Source: file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_indonesian.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_italian.lng.ecf
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_japanese.lng.ecf
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_korean.lng.ecf
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_license.txt.ecf
Source: file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_lithuanian.lng.ecf
Source: file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_norwegian.lng.ecf
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_polish.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_portuguese_(brazil).lng.ecf
Source: file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_portuguese_(portugal).lng.ecf
Source: file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_portuguese_(portugal).lng.ecf29t
Source: file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_portuguese_(portugal).lng.ecfH
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_romanian.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_russian.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_serbian.lng.ecf
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_serbian.lng.ecfso
Source: file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_sloven
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_slovene.lng.ecf
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_slovene.lng.ecfPAt
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_spanish.lng.ecf
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_swedish.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_turkish.lng.ecf
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_turkish.lng.ecfCy
Source: file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_ukrainian.lng.ecf
Source: file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_native.exe.ecf
Source: file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_native.exe.ecfX
Source: file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_shkernel.exe.ecf
Source: file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_shkernel.exe.ecf(
Source: file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_shmonitor.exe.ecf
Source: file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_shshellext.dll.ecf
Source: file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_spyhunter5.exe.ecf
Source: file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_native.exe.ecf
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_shkernel.exe.ecf
Source: file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_shkernel.exe.ecfn
Source: file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_shmonitor.exe.ecf
Source: file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_shshellext.dll.ecf
Source: file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_spyhunter5.exe.ecf
Source: file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_spyhunter5.exe.ecfR
Source: file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307522072.0000000003527000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272829020.0000000003527000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/def.pro/2022080401.def.ecf
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/def.pro/2022080401.def.ecfG
Source: file.exe, 00000000.00000003.268574609.00000000044F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268091368.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269812711.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272484826.00000000044ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/def.pro/2022080401.def.ecfp
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265545201.00000000044D3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268810091.00000000044D5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265243613.00000000035BA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/def.pro/latest_def.ecf
Source: file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/def.pro/latest_def.ecfY
Source: file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/def/2022110703.def.ecf
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267137010.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267589014.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265545201.00000000044D3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268810091.00000000044D5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265243613.00000000035BA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/def/latest_def.ecf
Source: file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263798085.0000000003539000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307522072.0000000003527000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272829020.0000000003527000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/latest.ecf
Source: file.exe, 00000000.00000003.263798085.0000000003539000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/latest.ecfH
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/shos5/3.18.5/sh5_initrd.gz.ecf
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/shos5/3.18.5/sh5_initrd.gz.ecf.ecf
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/shos5/3.18.5/sh5_shldr.ecf
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/shos5/3.18.5/sh5_shldr.mbr.ecf
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/shos5/3.18.5/sh5_shldr.mbr.ecfecf7O
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/shos5/3.18.5/sh5_vmlinuz.ecf
Source: file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/shos5/3.18.5/sh5_vmlinuz.ecf:
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/shos5/3.18.5/sh5_vmlinuz.ecffdiyHxtN/
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe, 00000000.00000003.261131713.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260864313.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260814598.00000000034E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.
Source: file.exe, 00000000.00000003.263224740.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260864313.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260814598.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263633202.0000000003548000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: ShKernel.exe, 0000001C.00000002.555272712.000001D3807E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://svc-stats.linkury.com/StateStatisticsService.svc/V1/JSON/GetDistributorIdFromNameHttpGet?dist
Source: ShKernel.exe, 0000001C.00000000.403556678.00007FF7097F8000.00000008.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 00000005.00000002.310228109.0000027493E13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: ShKernel.exe, 0000001C.00000002.555272712.000001D3807E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bulla.com
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ShKernel.exe, 0000001C.00000002.555272712.000001D3807E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ebates.com
Source: file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.enigmasoftware.com
Source: file.exe, 00000000.00000003.263224740.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260864313.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260814598.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263831490.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.entrust.net/CRL/net1.crl
Source: file.exe, 00000000.00000003.263224740.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260864313.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260814598.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263831490.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.entrust.net/CRL/net1.crl0
Source: file.exe, 00000000.00000000.256693561.00000000011B8000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.google.compre_xpimg_entryp
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.oberhumer.com
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: file.exe, 00000000.00000003.268360683.00000000045A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wwwigmasoftware.com
Source: svchost.exe, 00000002.00000002.544015881.00000270A3443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000002.00000002.544015881.00000270A3443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000002.00000002.544015881.00000270A3443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com
Source: file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263335717.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.262458403.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263877291.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.262407166.0000000003519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263349882.000000000351B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.enigmasoft.net
Source: file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263335717.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263877291.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.262407166.0000000003519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263349882.000000000351B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.enigmasoft.net)
Source: file.exe, 00000000.00000003.262458403.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.enigmasoft.net19.5
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://api.enigmasoft.nethttps://www.enigmasoftware.comhttps://clicktoverify.truste.com/pvr.php?pag
Source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.release.cyclonis.net/v1/download?app=cyclonis-backup&os=win
Source: svchost.exe, 00000005.00000003.309542538.0000027493E62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000002.00000002.544015881.00000270A3443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000002.00000002.544015881.00000270A3443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: file.exe, 00000000.00000000.256693561.00000000011B8000.00000002.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: svchost.exe, 00000005.00000002.310323507.0000027493E2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.309685110.0000027493E4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000005.00000003.309685110.0000027493E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.310476889.0000027493E4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000005.00000003.309542538.0000027493E62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000005.00000002.310439985.0000027493E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000005.00000003.309685110.0000027493E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.310476889.0000027493E4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000005.00000003.309542538.0000027493E62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000005.00000003.309587506.0000027493E4F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.310494665.0000027493E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000005.00000002.310323507.0000027493E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000005.00000003.309685110.0000027493E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.310476889.0000027493E4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000005.00000003.309542538.0000027493E62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000005.00000002.310439985.0000027493E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000005.00000003.309542538.0000027493E62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000005.00000003.309542538.0000027493E62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000005.00000003.309542538.0000027493E62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000005.00000002.310323507.0000027493E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000005.00000003.309791016.0000027493E42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.310459621.0000027493E43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.309723338.0000027493E41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000005.00000003.309791016.0000027493E42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.310459621.0000027493E43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.309723338.0000027493E41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000005.00000003.309542538.0000027493E62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000005.00000003.309685110.0000027493E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.310476889.0000027493E4C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.309723338.0000027493E41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000005.00000003.286489874.0000027493E30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
Source: svchost.exe, 00000005.00000003.309685110.0000027493E4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000005.00000002.310476889.0000027493E4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000005.00000003.309685110.0000027493E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.310476889.0000027493E4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000005.00000002.310494665.0000027493E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000005.00000003.309542538.0000027493E62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000005.00000002.310439985.0000027493E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000005.00000003.286489874.0000027493E30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: file.exe, 00000000.00000000.256693561.00000000011B8000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://geo-ip.enigmasoft.net/location
Source: file.exe, 00000000.00000000.256693561.00000000011B8000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://geo-ip.enigmasoft.net/locationgeo_countrycountryosos_lang%1%%2%os_versionx86x64os_arch;ARMge
Source: file.exe, 00000000.00000003.267369004.0000000003544000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmas
Source: file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmas3CO
Source: file.exe, 00000000.00000003.272462882.00000000044D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269795946.00000000044E5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268644221.00000000044E5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267107205.00000000044E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasB
Source: file.exe, 00000000.00000003.311359366.0000000004574000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269652390.0000000004574000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313320979.0000000004574000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307103077.0000000004574000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268391208.0000000004574000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272301534.000000000456F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268270654.0000000003544000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.274013257.0000000004574000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268541807.0000000004574000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmaso
Source: file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftw
Source: file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266193979.0000000004501000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268574609.00000000044F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268091368.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265545201.00000000044D3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269812711.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268810091.00000000044D5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265243613.00000000035BA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272484826.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/
Source: file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/M
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_acpdata.dat.ecf
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_acpwl.dat.ecf
Source: file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_acpwl.dat.ecf1c6
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265568181.00000000044DC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_albanian.lng.ecf
Source: file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_albanian.lng.ecfKDn
Source: file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_bulgarian.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_chinese_(simplified).lng.ecf
Source: file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_chinese_(traditional).lng.ecf
Source: file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_chinese_(traditional).lng.ecfDVD
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_croatian.lng.ecf
Source: file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_croatian.lng.ecfiEp
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_czech.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_danish.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_dutch.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_english.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_finnish.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_french.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_german.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_greek.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_hungarian.lng.ecf
Source: file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_hungarian.lng.ecfdE
Source: file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_indonesian.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_italian.lng.ecf
Source: file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_japanese.lng.ecf
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_korean.lng.ecf
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_license.txt.ecf
Source: file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_lithuanian.lng.ecf
Source: file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_norwegian.lng.ecf
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_polish.lng.ecf
Source: file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_portuguese_(brazil).lng.ecf
Source: file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_portuguese_(brazil).lng.ecfQsTb
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_portuguese_(portugal).lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_romanian.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_russian.lng.ecf
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_serbian.lng.ecf
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_slovene.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_spanish.lng.ecf
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_spanish.lng.ecfY
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_swedish.lng.ecf
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_swedish.lng.ecfg
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_turkish.lng.ecf
Source: file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_ukrainian.lng.ecf
Source: file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_ukrainian.lng.ecfhtm
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272528971.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_native.exe.ecf
Source: file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_shkernel.exe.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_shmonitor.exe.ecf
Source: file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_shmonitor.exe.ecfR
Source: file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_shshellext.dll.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_spyhunter5.exe.ecf
Source: file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_spyhunter5.exe.ecf)
Source: file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_native.exe.ecf
Source: file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_native.exe.ecf(
Source: file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_native.exe.ecff
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_shkernel.exe.ecf
Source: file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_shkernel.exe.ecfj
Source: file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_shmonitor.exe.ecf
Source: file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_shmonitor.exe.ecfR
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_shshellext.dll.ecf
Source: file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_shshellext.dll.ecfq
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_spyhunter5.exe.ecf
Source: file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_spyhunter5.exe.ecfD
Source: file.exe, 00000000.00000003.272484826.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307522072.0000000003527000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272829020.0000000003527000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/def.pro/2022080401.def.ecf
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265545201.00000000044D3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268810091.00000000044D5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265243613.00000000035BA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/def.pro/latest_def.ecf
Source: file.exe, 00000000.00000003.267589014.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272528971.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/def/2022110703.def.ecf
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267137010.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267589014.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272528971.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/def/2022110703.def.ecf7
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267137010.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267589014.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272528971.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/def/2022110703.def.ecfH
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267137010.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267589014.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265545201.00000000044D3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268810091.00000000044D5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265243613.00000000035BA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/def/latest_def.ecf
Source: file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263798085.0000000003539000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307522072.0000000003527000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272829020.0000000003527000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/latest.ecf
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://myaccount.enigmasoftware.com/forgot-password/85000.0doc
Source: file.exe, 00000000.00000003.269556765.00000000045EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://purchase.enigmasoftware.com
Source: file.exe, file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.262470538.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263265975.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269812711.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269586761.0000000004555000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263831490.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://purchase.enigmasoftware.com/purchase_spyhunter.php?sid=lav&dc=H2O75
Source: file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.262470538.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263265975.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263831490.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://purchase.enigmasoftware.com/purchase_spyhunter.php?sid=lav&dc=H2O750x01xDa
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://sh.downloads.enigmasoft.net/sh/def/updates/%1%/%2%_updates.ecf
Source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sh.downloads.enigmasoft.net/sh/def/updates/%1%/%2%_updates.ecf/R
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://sh.downloads.enigmasoft.net/sh/ticket_problem_types/https://purchase.enigmasoftware.com/spyh
Source: svchost.exe, 00000005.00000002.310439985.0000027493E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000005.00000002.310228109.0000027493E13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.310439985.0000027493E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000005.00000003.309771847.0000027493E46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.309723338.0000027493E41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000005.00000003.309771847.0000027493E46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.309723338.0000027493E41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000005.00000003.286489874.0000027493E30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000005.00000003.286489874.0000027493E30000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.310423105.0000027493E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000005.00000003.309587506.0000027493E4F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.310494665.0000027493E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://tt.web.enigmasoftware.com/analytics_all/callback_functions/tt_callback.php10-100enigmasoftwa
Source: file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263335717.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263877291.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263513883.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tt.web.enigmasoftware.com/analytics_all/callback_functions/tt_callback.php?hwx=%HWID%&lng=%L
Source: ShKernel.exe, 0000001C.00000002.612769123.000001D380FB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cyclonis.com/eula-password-manager/
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000000.00000003.263392414.0000000003599000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263138415.000000000355D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.enigmasoftware.com/about-us/inquiries-feedback/).
Source: file.exe, 00000000.00000003.264261988.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307366859.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268147686.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267393329.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270034914.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263198322.0000000003599000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263425100.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263666920.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266458249.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263392414.0000000003599000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263138415.000000000355D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.enigmasoftware.com/enigmasoft-discount-terms/
Source: file.exe, 00000000.00000003.264261988.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307366859.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268147686.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263165543.0000000003573000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267393329.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270034914.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263198322.0000000003599000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263425100.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263666920.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266458249.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263392414.0000000003599000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263138415.000000000355D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.enigmasoftware.com/enigmasoft-discount-terms/.
Source: file.exe, 00000000.00000003.263392414.0000000003599000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.enigmasoftware.com/enigmasoft-privacy-policy/
Source: file.exe, 00000000.00000003.264261988.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307366859.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268147686.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263165543.0000000003573000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267393329.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270034914.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263198322.0000000003599000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263425100.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263666920.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266458249.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263392414.0000000003599000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263138415.000000000355D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.enigmasoftware.com/enigmasoft-privacy-policy/;
Source: file.exe, 00000000.00000003.263392414.0000000003599000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.enigmasoftware.com/program-uninstall-steps/.
Source: file.exe, 00000000.00000003.264261988.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307366859.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268147686.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263165543.0000000003573000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267393329.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270034914.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263198322.0000000003599000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263425100.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263666920.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266458249.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263392414.0000000003599000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.enigmasoftware.com/sh/license.txt.
Source: file.exe, 00000000.00000003.263392414.0000000003599000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.enigmasoftware.com/spyhunter-additional-terms-conditions/.
Source: file.exe, 00000000.00000003.263138415.000000000355D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.enigmasoftware.com/spyhunter-eula/.
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp, ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.enigmasoftware.com/spyhunter-remover-details/#windows
Source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.enigmasoftware.com/spyhunter5-special-promotion-terms/
Source: file.exe, 00000000.00000003.264261988.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307366859.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268147686.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263265975.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267393329.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270034914.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263198322.0000000003599000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263474019.00000000034F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263425100.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263666920.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266458249.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263392414.0000000003599000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263138415.000000000355D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.enigmasoftware.com/support/
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://www.google-analytics.com/batch
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://www.google-analytics.com/batch%1%

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match

File source: 0000001C.00000002.583150850.000001D380AA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Spam, unwanted Advertisements and Ransom Demands

May drop file containing decryption instructions (likely related to ransomware)

Source: ShKernel.exe, 0000001C.00000002.583150850.000001D380AA5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: HELP_DECRYPT\.PNG

Writes many files with high entropy

Source: C:\Users\user\Desktop\file.exe	File created: C:\sh5ldr\vmlinuz entropy: 7.99836962763	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Chinese (Simplified).lng entropy: 7.99615643718	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Chinese (Traditional).lng entropy: 7.99609971693	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Croatian.lng entropy: 7.99595141601	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Czech.lng entropy: 7.99680078701	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Danish.lng entropy: 7.99711126287	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Dutch.lng entropy: 7.99623035502	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Finnish.lng entropy: 7.99615411913	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\French.lng entropy: 7.99671313322	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\German.lng entropy: 7.99580751358	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Greek.lng entropy: 7.99705640146	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\English.lng entropy: 7.99572990145	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Albanian.lng entropy: 7.99581949466	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Bulgarian.lng entropy: 7.99666220285	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Hungarian.lng entropy: 7.99689859487	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Indonesian.lng entropy: 7.9957351524	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Italian.lng entropy: 7.9965164076	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Japanese.lng entropy: 7.9961756396	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Korean.lng entropy: 7.99693442691	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Lithuanian.lng entropy: 7.99626718925	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Norwegian.lng entropy: 7.99690916426	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Polish.lng entropy: 7.99635386591	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Portuguese (Brazil).lng entropy: 7.99562562154	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Portuguese (Portugal).lng entropy: 7.99640862281	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Romanian.lng entropy: 7.99641530631	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Russian.lng entropy: 7.99701029921	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Serbian.lng entropy: 7.99604698987	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Slovene.lng entropy: 7.99606091645	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Spanish.lng entropy: 7.99638398778	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Swedish.lng entropy: 7.99555096602	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Turkish.lng entropy: 7.99631936477	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Ukrainian.lng entropy: 7.99690213117	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Defs\full.def entropy: 7.99980150219	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Defs\Rh\full.dat entropy: 7.99721527657	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\data\acpwl.dat entropy: 7.99684565062	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\sh5ldr\initrd.gz entropy: 7.99524171727	Jump to dropped file
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\data\CrCache.dat entropy: 7.99988653068	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000001C.00000003.422519867.000001D3F58C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000001C.00000003.422727533.000001D3F4225000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000001C.00000003.422306773.000001D3F5841000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000001C.00000003.478164990.000001D3F34BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe, type: DROPPED	Matched rule: Detects SystemBC Author: ditekSHen

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Creates files inside the driver directory

Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe

File created: C:\Windows\system32\Drivers\EnigmaFileMonDriver.sys

Yara signature match

Source: 0000001C.00000003.422519867.000001D3F58C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000001C.00000003.422727533.000001D3F4225000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000001C.00000003.422306773.000001D3F5841000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000001C.00000003.478164990.000001D3F34BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe, type: DROPPED	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC

Creates files inside the system directory

Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe

File created: C:\Windows\system32\Drivers\EnigmaFileMonDriver.sys

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_034EA7C8
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF69812B6B0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF6980F10F0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF69810D96C
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF69812B970
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF69811AABC
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF6981052E8
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF6981282D0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF698127C70
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF69811C450
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF69810BD28
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF698118D70
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF698110D44
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF69811CD4C
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF698117DE0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF6980FD5F0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF6980F9DE0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF69810CE5C
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF69810E66C
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF698127EA0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF698110EF0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF69810A728
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF698108708
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF69811A758
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF698111F60
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF698100F40
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF698106F3C
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF698114FCC
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF69811D8B4
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF6981278E0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A570B6B0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56D10F0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56EE66C
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56ECE5C
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56E8708
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56F0EF0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A5707EA0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56F8D70
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56FCD4C
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56F0D44
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56EBD28
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56DD5F0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56D9DE0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56F7DE0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A57078E0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56FD8B4
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56F1F60
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56FA758
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56E0F40
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56E6F3C
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56EA728
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56F4FCC
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A57082D0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56E52E8
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56FAABC
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56ED96C
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A570B970
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A5707C70
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56FC450

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: String function: 00007FF698119450 appears 65 times
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: String function: 00007FF7A56F9450 appears 65 times

PE file contains executable resources (Code or Archives)

Source: ShKernel.exe.0.dr	Static PE information: Resource name: BIN type: PE32+ executable (native) x86-64, for MS Windows
Source: ShKernel.exe.0.dr	Static PE information: Resource name: BIN type: PE32+ executable (native) Aarch64, for MS Windows
Source: SpyHunter5.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: COM executable for DOS
Source: SpyHunter5.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: DOS executable (COM, 0x8C-variant)
Source: SpyHunter5.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: DOS executable (COM, 0x8C-variant)
Source: SpyHunter5.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: COM executable for DOS
Source: SpyHunter5.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: DOS executable (COM, 0x8C-variant)
Source: SpyHunter5.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: COM executable for DOS

Abnormal high CPU Usage

Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe

Process Stats: CPU usage > 98%

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNative.exe0 vs file.exe
Source: file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNative.exe0 vs file.exe
Source: file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameShMonitor.exe6 vs file.exe
Source: file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameShMonitor.exe6 vs file.exe
Source: file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameShMonitor.exe6 vs file.exe
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: originalFilename vs file.exe
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "'qwertyuiopasdfghjklzxcvbnmZXCVBNMASDFGHJKLQWERTYUIOP.drv.sys.com.scr.pif.msi.vbs.acm/~/\rbwb.exe.ocx\/ \/ \/.cpl.efi.mui.lnk.vb.js.axUsersvoidlua runtime errorunable to make castexistsexpandbaseNamedirNamepathInfowalkFailed to move %s to %s due to error %lu!Esg::Classes::fVtekgBaCHLfloqy::FileSystem::Moveboolstd::stringlua_Stateluabind::objecthkcufsmovemodifyTimeMissing parameters!Esg::Classes::fVtekgBaCHLfloqy::FileSystem::WalkregistrydeleteKeydeleteValuekeyExistsC:\Users\Administrator\bamboo-agent-home\xml-data\build-dir\SH5-S5P-JOB1\enigmacommon\EnigmaCommon\LuaAPI.cppFailed to remove %s due to error %lu!Esg::Classes::fVtekgBaCHLfloqy::FileSystem::RemoveFailed to remove %s!extensiondirectorycreateTimeaccessTimeFailed to delete value %s of key %s due to error %lu!Esg::Classes::fVtekgBaCHLfloqy::Registry::DeleteValueFailed to alter value %s of key %s due to error %lu!Esg::Classes::fVtekgBaCHLfloqy::Registry::SetValueFailed to extract string value %s of key %s due to error %lu!Esg::Classes::fVtekgBaCHLfloqy::Registry::GetStringFailed to extract numeric value %s of key %s due to error %lu!Esg::Classes::fVtekgBaCHLfloqy::Registry::GetNumbervalueExistssetValuegetStringgetNumbergetBooleangetCurrentControlSetKeyFailed to delete key %s due to error %lu!Esg::Classes::fVtekgBaCHLfloqy::Registry::DeleteKeyWinXPWinVistaWin7Win8Win8.1Win10getFilePropertieskillProcessFailed to extract boolean value %s of key %s due to error %lu!Esg::Classes::fVtekgBaCHLfloqy::Registry::GetBooleanosgetNamegetVersiongetArchitectureisSafeModeWin2kFailed to get properties of %s!Esg::Classes::fVtekgBaCHLfloqy::System::GetFilePropertiesFailed to kill proc. %d!Esg::Classes::fVtekgBaCHLfloqy::System::KillProcessFailed to kill proc. %s!Failed to fetch a list of processes! Error %d.Esg::Classes::fVtekgBaCHLfloqy::System::ListProcessescmd /c processExistslistProcessesgetSystemAccountSidgetCurrentUserSidfileVersionproductVersioninternalNameoriginalFilenameEsg::Classes::fVtekgBaCHLfloqy::Log::DebugEsg::Classes::fVtekgBaCHLfloqy::Log::NoticescresolveFailed to parse shortcut %s!Esg::Classes::fVtekgBaCHLfloqy::Shortcut::ResolvetargetargumentsFailed to execute command %S!Esg::Classes::fVtekgBaCHLfloqy::System::ExecutelogwarningdebugnoticeEsg::Classes::fVtekgBaCHLfloqy::Log::ErrorEsg::Classes::fVtekgBaCHLfloqy::Log::WarningworkDiriconPathiconIndex const vs file.exe
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InternalNameLegalCopyrightOriginalFileNameProductNameProductVersionCommentsLegalTrademarksPrivateBuild\VarFileInfo\Translation\StringFileInfo\%04X%04X\\StringFileInfo\040904E4\CompanyNameFileDescriptionFileVersionSpecialBuild%d.%d.%d.%dC:\Dev\Libs\boost_1_70_0\boost\smart_ptr\scoped_array.hppvoid __cdecl boost::scoped_array<unsigned char>::reset(unsigned char *)P vs file.exe
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .NET Init Failed. Path=%s, Status=%dpe_init_failedC:\Users\Administrator\bamboo-agent-home\xml-data\build-dir\SH5-S5P-JOB1\sh5\Scanner\FileScanPeContext.cppFileScan::PeContext::InitRSDSOriginalFilenameCopyrightcompanynamecommentsdescriptioncopyrightfileversionfiledescriptionlegalcopyrightinternalnameproductnameoriginalfilenameproductversionunsigned __int64 __cdecl boost::unordered::detail::table<struct boost::unordered::detail::map<class std::allocator<struct std::pair<struct std::pair<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > > const ,class std::vector<unsigned __int64,class std::allocator<unsigned __int64> > > >,struct std::pair<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > >,class std::vector<unsigned __int64,class std::allocator<unsigned __int64> >,struct PeMetricsStatus::ImportHasher,struct std::equal_to<struct std::pair<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > > > > >::min_buckets_for_size(unsigned __int64) constvoid __cdecl boost::unordered::detail::table<struct boost::unordered::detail::map<class std::allocator<struct std::pair<struct std::pair<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > > const ,class std::vector<unsigned __int64,class std::allocator<unsigned __int64> > > >,struct std::pair<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > >,class std::vector<unsigned __int64,class std::allocator<unsigned __int64> >,struct PeMetricsStatus::ImportHasher,struct std::equal_to<struct std::pair<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > > > > >::rehash_impl(unsigned __int64) vs file.exe
Source: file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNative.exe0 vs file.exe
Source: file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNative.exe0 vs file.exe
Source: file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNative.exe0 vs file.exe
Source: file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNative.exe0 vs file.exe
Source: file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEnigmaFileMonDriver.sys8 vs file.exe
Source: file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameShKernel.exe6 vs file.exe

Enables driver privileges

Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe

Process token adjusted: Load Driver

Tries to load missing DLLs

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll

Creates driver files

Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe

File created: C:\Windows\system32\Drivers\EnigmaFileMonDriver.sys

Enables security privileges

Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe

Process token adjusted: Security

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe create EsgShKernel start= demand binPath= "\"C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe\"" DisplayName= "SpyHunter 5 Kernel"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe description EsgShKernel "SpyHunter 5 Kernel"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe create ShMonitor start= demand binPath= "\"C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe\"" DisplayName= "SpyHunter 5 Kernel Monitor"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe description ShMonitor "SpyHunter 5 Kernel Monitor"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe config ShMonitor start= auto
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe config EsgShKernel start= auto
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /s "C:\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe -exec OpfXySN2sIJfRn7kaByo3fAgnhU5bFC+1YK5gktB214= -args MHLPvv2eVF5BDDAj57kaKhLlRzVl3TCPBu81sCtfDvA= -wait 300
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe -exec OpfXySN2sIJfRn7kaByo3fAgnhU5bFC+1YK5gktB214= -args hOGTiE/QHFPjrWqL1njGygtJtFEVLgswO/2BlkHQX4U= -wait 300
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe start EsgShKernel -tt_on
Source: unknown	Process created: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe start ShMonitor
Source: unknown	Process created: C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Process created: C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe "C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe" /hide
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe create EsgShKernel start= demand binPath= "\"C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe\"" DisplayName= "SpyHunter 5 Kernel"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe description EsgShKernel "SpyHunter 5 Kernel"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe create ShMonitor start= demand binPath= "\"C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe\"" DisplayName= "SpyHunter 5 Kernel Monitor"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe description ShMonitor "SpyHunter 5 Kernel Monitor"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe config ShMonitor start= auto
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe config EsgShKernel start= auto
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /s "C:\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe -exec OpfXySN2sIJfRn7kaByo3fAgnhU5bFC+1YK5gktB214= -args MHLPvv2eVF5BDDAj57kaKhLlRzVl3TCPBu81sCtfDvA= -wait 300
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe -exec OpfXySN2sIJfRn7kaByo3fAgnhU5bFC+1YK5gktB214= -args hOGTiE/QHFPjrWqL1njGygtJtFEVLgswO/2BlkHQX4U= -wait 300
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe start EsgShKernel -tt_on
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe start ShMonitor

Source: Uninstall.lnk.0.dr

LNK file: ..\..\..\..\..\EnigmaSoft Limited\sh5_installer.exe

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\esg_setup.log

Jump to behavior

Source: classification engine

Classification label: sus38.rans.troj.spyw.evad.winEXE@46/58@0/7

Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: SELECT key FROM ItemTable;
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: SELECT creation_utc FROM cookies WHERE creation_utc = %I64d;
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: create table 'log_item' (id INTEGER PRIMARY KEY, name TEXT, scan_type INTEGER, starttime TEXT, endtime TEXT, signature_version TEXT, requested_by TEXT, scan_count INTEGER, threat_count INTEGER, status INTEGER NOT NULL, FOREIGN KEY(status) REFERENCES scan_status(status_id));
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: SELECT path FROM log_item_data WHERE log_item_id='%1%' AND status=1 LIMIT 1000;
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: SELECT creation_utc FROM cookies WHERE creation_utc = %I64d;
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: select id, name, host from moz_cookies;
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: SELECT origin, type, permission FROM moz_perms;
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: SELECT `%s` FROM `%s` WHERE `%s` LIKE ?;
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: SELECT id, name, host FROM moz_cookies;
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: create table 'guard_alert' (alert_id INTEGER PRIMARY KEY, timestamp INTEGER, pid INTEGER, ppath TEXT, path TEXT, size INTEGER, md5 TEXT, company_name TEXT, file_desc TEXT, file_version TEXT, is_malware INTEGER, scan_status TEXT);
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: SELECT creation_utc, host_key, name FROM cookies;
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: SELECT `%s` FROM `%s` WHERE `%s` LIKE ?;MalwareObjSqliteRow::ExistsExists check failed. DB Exception occured: %s
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: SELECT id FROM moz_cookies WHERE id=%I64d;
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: create table 'scan_status' (id INTEGER PRIMARY KEY, status_id INTEGER, name TEXT);
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: INSERT INTO scan_status (status_id, name) VALUES (0, 'Started'); INSERT INTO scan_status (status_id, name) VALUES (1, 'Completed'); INSERT INTO scan_status (status_id, name) VALUES (2, 'Interrupted by user'); INSERT INTO scan_status (status_id, name) VALUES (3, 'Failed');
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: create table 'log_item_data' (id INTEGER PRIMARY KEY, log_item_id INTEGER NOT NULL, timestamp TEXT, detection_id INTEGER, path TEXT, title TEXT, status INTEGER, FOREIGN KEY(log_item_id) REFERENCES log_item(id) ON UPDATE CASCADE ON DELETE CASCADE);
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: select scope, key from webappsstore2;

Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Mutant created: \BaseNamedObjects\Global\ESG_AQbwFiKkefurfkxavZoTCL
Source: C:\Users\user\Desktop\file.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ESGInstaller_MTX
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5752:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2680:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1332:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3624:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5784:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4080:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5508:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6140:120:WilError_01

Source: C:\Users\user\Desktop\file.exe

File created: C:\Program Files\EnigmaSoft

Jump to behavior

Source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C*\AC:\Documents and Settings\clinet\Bureau\SGen-1\Project1.vbp-J
Source: ShKernel.exe, 0000001C.00000002.555272712.000001D3807E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: B*\AF:\DVD7(3514)\Documents\Visual Basic\VB Project\My Work\FolderView (Auto)\FolderView 2\Remover\Remover.vbp"90000005
Source: ShKernel.exe, 0000001C.00000002.555272712.000001D3807E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: B*\AF:\DVD7(3514)\Documents\Visual Basic\VB Project\My Work\FolderView (Auto)\FolderView 2\Remover\Remover.vbp, "value
Source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C*\AC:\Documents and Settings\elnashar0\Desktop\Source\mr mega.vbp
Source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *\AC:\Users\PC\Pictures\cloud\ActiveX Control Source\VB Splitter.vbp
Source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: F15.vbp
Source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: er.vbp
Source: ShKernel.exe, 0000001C.00000002.555272712.000001D3807E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: B*\AF:\DVD7(3514)\Documents\Visual Basic\VB Project\My Work\FolderView (Auto)\FolderView 2\Remover\Remover.vbp_type":
Source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @*\A\\192.168.40.1\ASDStaffsRep\Selam\denominationXP\Project1.vbp

Source: file.exe

String found in binary or memory: : 5 esg-installer.b-cdn.net;89.187.165.194;

Source: C:\Users\user\Desktop\file.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File read: C:\Windows\System32\drivers\etc\hosts

Uses Rich Edit Controls

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msftedit.dll

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Found window with many clickable UI elements (buttons, textforms, scrollbars etc)

Source: C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe

Window detected: Number of UI elements: 13

PE file has a big code size

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Submission file is bigger than most known malware samples

Source: file.exe

Static file information: File size 6881256 > 1048576

Creates a directory in C:\Program Files

Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\purl.dat	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Native.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\license.txt	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\English.lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Albanian.lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Bulgarian.lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Chinese (Simplified).lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Chinese (Traditional).lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Croatian.lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Czech.lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Danish.lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Dutch.lng	Jump to behavior
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Logs\20221130_001537.krn.log
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat-journal
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat-journal
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat-journal
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat-journal
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat-journal
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Data\rh
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Temp
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Logs
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Logs\ShMonitor.log

PE / OLE file has a valid certificate

Source: file.exe

Static PE information: certificate valid

PE file has a big raw section

Source: file.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x436400
Source: file.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x115e00

PE file imports many functions

Source: file.exe

Static PE information: More than 200 imports for KERNEL32.dll

PE file contains a mix of data directories often seen in goodware

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: c:\Users\sd\Documents\SharpDevelop Projects\BackdoorNominatus\BackdoorNominatus - BLUE BUG\obj\Debug\BackdoorNominatus - BLUE BUG.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\GIT\esginstaller\_Builds\Release\win32\DelayStart-x64.pdb source: EsgInstallerDelay__0.exe, 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmp, EsgInstallerDelay__0.exe, 00000017.00000000.389009144.00007FF698130000.00000002.00000001.01000000.0000000A.sdmp, EsgInstallerDelay__1.exe, 00000019.00000000.390176462.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmp, EsgInstallerDelay__1.exe, 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: \Random Roblox Shit\MassRobloxAssetStealer\Mass-Roblox-asset-scraper-dumper\MassRobloxAssetStealer\obj\Debug\MassRobloxAssetStealer.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\bamboo-agent-home\xml-data\build-dir\SH5-S5P-JOB1\sh5\builds\Release-x64\ShMonitor.pdb source: file.exe, 00000000.00000003.310467481.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.309938161.00000000045E2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\bamboo-agent-home\xml-data\build-dir\SH5-S5P-JOB1\sh5\builds\Release-x64\ShKernel.pdb source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: ogger.pdbgE source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\bamboo-agent-home\xml-data\build-dir\SH5-S5P-JOB1\sh5\builds\Release-x64\ShMonitor.pdb\ source: file.exe, 00000000.00000003.310467481.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.309938161.00000000045E2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\abc\Release\gerjjkrkjjk33.pdb2617365"<" source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Random Roblox Shit\MassRobloxAssetStealer\Mass-Roblox-asset-scraper-dumper\MassRobloxAssetStealer\obj\Debug\MassRobloxAssetStealer.pdbD source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Azan\onedrive\documents\visual studio 2010\Projects\Project Scorpion\Project Scorpion\obj\x86\Release\Project Scorpion.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Sources\spyhunter5\Drivers\builds\Release-ARM64\EnigmaFileMonDriver.pdb source: file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdb50CFp1 source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Z7 /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -D_USING_V110_SDK71_ source: file.exe, 00000000.00000000.256693561.00000000011B8000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Users\stefan.joerg\Nextcloud3\_Programmierung\SanboxTestingTool\AdvancedKEYLogger\AdvancedKEYLogger\obj\Debug\AdvancedKEYLogger.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: $C:\abc\Release\gerjjkrkjjk33.pdb2617365"<" source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 0@.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Z7 /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: s.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: $\\Wta..[3243ujwew]\\\kY0VNfo.pdb00448974 source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ^Allpcoptimizer\.pdb$F source: ShKernel.exe, 0000001C.00000002.583150850.000001D380AA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: o.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ~E:\Demo\dWwwang-SiMayRemoteMonitorOS-master\SiMayRemoteMonitorOS\SiMay.RemoteClient.NewCore\obj\Debug\SiMayServiceCore.pdb7eCG source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Azan\onedrive\documents\visual studio 2010\Projects\Project Scorpion\Project Scorpion\obj\x86\Release\Project Scorpion.pdbaG source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Trainer Creator\C++ and C#\Trainer MotoGP 22 Framework without virus\ArmYofOneEngine\obj\Release\MotoGP 22 v1.0.0.0 +17 Options.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ogger.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\GIT\esginstaller\_Builds\Release\Win32\Installer.pdb source: file.exe, 00000000.00000000.256693561.00000000011B8000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: ^Allpcoptimizer\.pdb$ source: ShKernel.exe, 0000001C.00000002.583150850.000001D380AA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: type_idOTHERNAMEnameAssignerpartyNameEDIPARTYNAMEd.otherNamed.rfc822Named.dNSNamed.x400Addressd.directoryNamed.ediPartyNamed.uniformResourceIdentifierd.iPAddressd.registeredIDGENERAL_NAMEGeneralNamesGENERAL_NAMESCERTIFICATEcrypto\x509\x509name.cname=compiler: cl /Z7 /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -D_USING_V110_SDK71_crypto\dh\dh_lib.c%*s<EMPTY> source: file.exe, 00000000.00000000.256693561.00000000011B8000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\nativeapp\objfre_wnet_amd64\amd64\Native.pdb source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \x64\Release\HotCoffeeRansomware.pdb9"}]h1 source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: (bo.pdbg source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: type_idOTHERNAMEnameAssignerpartyNameEDIPARTYNAMEd.otherNamed.rfc822Named.dNSNamed.x400Addressd.directoryNamed.ediPartyNamed.uniformResourceIdentifierd.iPAddressd.registeredIDGENERAL_NAMEGeneralNamesGENERAL_NAMESCERTIFICATEcrypto\x509\x509name.cname=compiler: cl /Z7 /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMcrypto\dh\dh_lib.c%*s<EMPTY> source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\Sources\spyhunter5\Drivers\builds\Release-ARM64\EnigmaFileMonDriver.pdbGCTL source: file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: oella.exe.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Sources\spyhunter5\Drivers\builds\Release-x64\EnigmaFileMonDriver.pdb source: file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: & 7D08s.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Vegard\Documents\Visual Studio 2017\Projects\VirtualUIPro (CRYPTORIUM RANSOMWARE)\VirtualUIPro\obj\Debug\VirtualUIPro.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Demo\dWwwang-SiMayRemoteMonitorOS-master\SiMayRemoteMonitorOS\SiMay.RemoteClient.NewCore\obj\Debug\SiMayServiceCore.pdb7e source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\Administrador\mis documentos\visual studio 2010\Projects\Fortnite\Fortnite\obj\x86\Debug\Naccarella.exe.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\Wta..[3243ujwew]\\\kY0VNfo.pdb00448974 source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: (\x64\Release\HotCoffeeRansomware.pdb9"}]h1 source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EHW###%@$WHRENBRWHrjhss.pdbgs": 8454290, source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp

PE file contains a valid data directory to section mapping

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_034F2B57 push FFFFFFC3h; ret
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_034F21FA push esi; rep ret

PE file contains sections with non-standard names

Source: ShShellExt.dll.0.dr	Static PE information: section name: _RDATA
Source: ShKernel.exe.0.dr	Static PE information: section name: _RDATA
Source: ShMonitor.exe.0.dr	Static PE information: section name: _RDATA
Source: SpyHunter5.exe.0.dr	Static PE information: section name: _RDATA

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe

Code function: 23_2_00007FF698114B80 LoadLibraryA,GetProcAddress,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

Registers a DLL

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /s "C:\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll"

Persistence and Installation Behavior

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\file.exe

File created: C:\ProgramData\EnigmaSoft Limited\sh5_installer.exe

Jump to dropped file

Drops PE files

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\EnigmaSoft Limited\sh5_installer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Native.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Jump to dropped file
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File created: C:\Windows\System32\drivers\EnigmaFileMonDriver.sys	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe

File created: C:\Windows\System32\drivers\EnigmaFileMonDriver.sys

Jump to dropped file

Creates license or readme file

Source: C:\Users\user\Desktop\file.exe

File created: C:\Program Files\EnigmaSoft\SpyHunter\license.txt

Jump to behavior

Creates install or setup log file

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\esg_setup.log

Jump to behavior

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\file.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EnigmaSoft\Uninstall.lnk

Jump to behavior

Creates or modifies windows services

Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EnigmaFileMonDriver\Instances

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe create EsgShKernel start= demand binPath= "\"C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe\"" DisplayName= "SpyHunter 5 Kernel"

Hooking and other Techniques for Hiding and Protection

Stores large binary data to the registry

Source: C:\Users\user\Desktop\file.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SpyHunter5 UninstallActions

Jump to behavior

Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\svchost.exe

System information queried: FirmwareTableInformation

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe TID: 1280	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe TID: 1336	Thread sleep time: -300000s >= -30000s
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe TID: 1392	Thread sleep count: 57 > 30
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe TID: 1392	Thread sleep time: -57000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe	Last function: Thread delayed
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Program Files\EnigmaSoft\SpyHunter\Native.exe			Jump to dropped file
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\EnigmaFileMonDriver.sys			Jump to dropped file

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Thread delayed: delay time: 300000

Contains capabilities to detect virtual machines

Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Thread delayed: delay time: 300000

Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	API call chain: ExitProcess graph end node

Source: ShKernel.exe, 0000001C.00000002.612769123.000001D380FB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\hyperv-compute-system-virtualmachine-onecore-package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: ShKernel.exe, 0000001C.00000002.612769123.000001D380FB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\hyperv-compute-system-virtualmachine-onecore-package~31bf3856ad364e35~amd64~en-us~10.0.17134.1.catr
Source: svchost.exe, 00000007.00000002.562501957.0000022F903AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: ShKernel.exe, 0000001C.00000002.547940577.000001D380435000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\microsoft-hyper-v-online-services-package~31bf3856ad364e35~amd64~~10.0.17134.1.catat2420J
Source: svchost.exe, 00000007.00000002.562501957.0000022F903AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware7,1
Source: svchost.exe, 00000001.00000002.538821362.000001EC2D002000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: ShKernel.exe, 0000001C.00000002.612769123.000001D380FB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\hyperv-compute-system-virtualmachine-vm-package~31bf3856ad364e35~amd64~en-us~10.0.17134.1.cath
Source: ShKernel.exe, 0000001C.00000002.612769123.000001D380FB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\hyperv-compute-system-virtualmachine-vm-package~31bf3856ad364e35~amd64~en-us~10.0.17134.1.cat
Source: ShKernel.exe, 0000001C.00000002.610627074.000001D380F1D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\hyperv-compute-system-virtualmachine-onecore-package~31bf3856ad364e35~amd64~en-us~10.0.17134.1.cats=
Source: ShKernel.exe, 0000001C.00000002.612769123.000001D380FB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\hyperv-primitive-virtualmachine-package~31bf3856ad364e35~amd64~~10.0.17134.1.catcat
Source: ShKernel.exe, 0000001C.00000002.612769123.000001D380FB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\hyperv-compute-system-virtualmachine-onecore-package~31bf3856ad364e35~amd64~en-us~10.0.17134.1.cato_
Source: ShKernel.exe, 0000001C.00000002.612769123.000001D380FB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\hyperv-compute-system-virtualmachine-onecore-package~31bf3856ad364e35~amd64~~10.0.17134.1.catft Corporation1
Source: svchost.exe, 00000001.00000002.542299674.000001EC2D03C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.544015881.00000270A3443000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.542707471.00000265A7C29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe

Code function: 23_2_00007FF698104308 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe

Code function: 23_2_00007FF69812B970 GetProcessHeap,HeapFree,SHParseDisplayName,SHParseDisplayName,CoInitializeEx,SHOpenFolderAndSelectItems,CoUninitialize,

Enables debug privileges

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF698104308 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF69810BD10 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF698107DC8 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF698104050 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56E7DC8 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56E4050 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56E4308 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56EBD10 SetUnhandledExceptionFilter,

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Queries volume information: C:\ VolumeInformation

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s,
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: _getptd,GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,free,GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: _getptd,GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: EnumSystemLocalesA,
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: EnumSystemLocalesA,
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,free,GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: EnumSystemLocalesA,
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: _getptd,GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s,
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: EnumSystemLocalesA,
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: _getptd,GetLocaleInfoA,

Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe

Code function: 23_2_00007FF69812A270 swprintf,GetSystemTime,swprintf,GetCurrentThreadId,swprintf,

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 00000007.00000002.562862478.0000022F903BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe
Source: svchost.exe, 00000007.00000002.560281657.0000022F9036D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \BullGuard Ltd\BullGuard\BullGuard.exe
Source: svchost.exe, 00000009.00000002.543283457.0000016C46C3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000009.00000002.545646163.0000016C46D02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match

File source: 0000001C.00000002.583150850.000001D380AA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected BrowserHistorySpy Tool by SecurityXploded

Source: Yara match

File source: 0000001C.00000003.509274290.000001D3F5D31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

OS version to string mapping found (often used in BOTs)

Source: file.exe, 00000000.00000003.266458249.0000000003558000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: if esg.sys.winVersion() > esg.c.WIN_XP then
Source: file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WIN_XP
Source: file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: if esg.sys.winVersion() < esg.c.WIN_7 then return end
Source: file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: if esg.sys.winVersion() > esg.c.WIN_XP then
Source: file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WIN_7
Source: file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WIN_7w
Source: file.exe, 00000000.00000003.266458249.0000000003558000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: if esg.sys.winVersion() <= esg.c.WIN_XP then

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match

File source: 0000001C.00000002.583150850.000001D380AA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	21 Windows Service	21 Windows Service	33 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
Default Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Disable or Modify Tools	LSASS Memory	161 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Service Execution	1 LSASS Driver	1 Registry Run Keys / Startup Folder	1 Modify Registry	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	2 Native API	1 DLL Side-Loading	1 LSASS Driver	141 Virtualization/Sandbox Evasion	NTDS	141 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	1 DLL Side-Loading	1 Process Injection	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	32 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Regsvr32	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 DLL Side-Loading	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	0%	ReversingLabs
file.exe	0%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	2%	ReversingLabs
C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe	0%	ReversingLabs
C:\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll	0%	ReversingLabs
C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe	0%	ReversingLabs
C:\ProgramData\EnigmaSoft Limited\sh5_installer.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	0%	ReversingLabs
C:\Windows\System32\drivers\EnigmaFileMonDriver.sys	0%	ReversingLabs
C:\sh5ldr\shldr	0%	ReversingLabs

Source	Detection	Scanner	Label
https://dynamic.t	0%	URL Reputation	safe
http://installer.enigmas	0%	Avira URL Cloud	safe
https://installer.enigmasB	0%	Avira URL Cloud	safe
http://wwwigmasoftware.com	0%	Avira URL Cloud	safe
https://api.enigmasoft.nethttps://www.enigmasoftware.comhttps://clicktoverify.truste.com/pvr.php?pag	0%	Avira URL Cloud	safe
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
http://www.bulla.com	0%	Avira URL Cloud	safe
https://installer.enigmas	0%	Avira URL Cloud	safe
http://svc-stats.linkury.com/StateStatisticsService.svc/V1/JSON/GetDistributorIdFromNameHttpGet?dist	0%	Avira URL Cloud	safe
https://api.release.cyclonis.net/v1/download?app=cyclonis-backup&os=win	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_spyhunter5.exe.ecf)	file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_finnish.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmas	file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://installer.enigmasoftware.com/sh5/5.13.15.81/M	file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_shmonitor.exe.ecfR	file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/	svchost.exe, 00000005.00000003.309685110.0000027493E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.310476889.0000027493E4C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_albanian.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265568181.00000000044DC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	false		high
https://purchase.enigmasoftware.com/purchase_spyhunter.php?sid=lav&dc=H2O75	file.exe, file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.262470538.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263265975.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269812711.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269586761.0000000004555000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263831490.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tt.web.enigmasoftware.com/analytics_all/callback_functions/tt_callback.php10-100enigmasoftwa	file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_indonesian.lng.ecf	file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_greek.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/def/2022110703.def.ecf	file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_acpdata.dat.ecf6	file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_french.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
http://wwwigmasoftware.com	file.exe, 00000000.00000003.268360683.00000000045A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_portuguese_(brazil).lng.ecf	file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasB	file.exe, 00000000.00000003.272462882.00000000044D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269795946.00000000044E5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268644221.00000000044E5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267107205.00000000044E5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_japanese.lng.ecf	file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_spyhunter5.exe.ecfD	file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_acpdata.dat.ecf--	file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_korean.lng.ecf	file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_slovene.lng.ecf	file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_finnish.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/def/latest_def.ecf	file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267137010.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267589014.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265545201.00000000044D3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268810091.00000000044D5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265243613.00000000035BA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/def.pro/2022080401.def.ecfG	file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_native.exe.ecf	file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/	file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266193979.0000000004501000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268574609.00000000044F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268091368.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265545201.00000000044D3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269812711.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268810091.00000000044D5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265243613.00000000035BA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272484826.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/shos5/3.18.5/sh5_initrd.gz.ecf.ecf	file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000005.00000002.310323507.0000027493E2A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_danish.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_slovene.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_chinese_(traditional).lng.ecfDVD	file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.enigmasoftware.com/support/	file.exe, 00000000.00000003.264261988.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307366859.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268147686.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263265975.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267393329.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270034914.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263198322.0000000003599000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263474019.00000000034F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263425100.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263666920.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266458249.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263392414.0000000003599000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263138415.000000000355D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_albanian.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265568181.00000000044DC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_native.exe.ecf	file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	file.exe, 00000000.00000003.263224740.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260864313.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260814598.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263633202.0000000003548000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 00000005.00000003.309542538.0000027493E62000.00000004.00000020.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_portuguese_(brazil).lng.ecfQsTb	file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.enigmasoft.nethttps://www.enigmasoftware.comhttps://clicktoverify.truste.com/pvr.php?pag	file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	false	Avira URL Cloud: safe	unknown
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_shshellext.dll.ecf	file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.entrust.net/CRL/net1.crl0	file.exe, 00000000.00000003.263224740.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260864313.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260814598.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263831490.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_croatian.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_shkernel.exe.ecf	file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_romanian.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dynamic.t	svchost.exe, 00000005.00000002.310494665.0000027493E50000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_spyhunter5.exe.ecf	file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/shos5/3.18.5/sh5_shldr.mbr.ecfecf7O	file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000005.00000003.309542538.0000027493E62000.00000004.00000020.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_hungarian.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_lithuanian.lng.ecf	file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_croatian.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_turkish.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
https://purchase.enigmasoftware.com	file.exe, 00000000.00000003.269556765.00000000045EA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://purchase.enigmasoftware.com/purchase_spyhunter.php?sid=lav&dc=H2O750x01xDa	file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.262470538.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263265975.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263831490.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/def/latest_def.ecf	file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267137010.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267589014.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265545201.00000000044D3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268810091.00000000044D5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265243613.00000000035BA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000005.00000003.309685110.0000027493E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.310476889.0000027493E4C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000005.00000003.309685110.0000027493E4A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/latest.ecfH	file.exe, 00000000.00000003.263798085.0000000003539000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_acpwl.dat.ecf/msv0t8	file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_norwegian.lng.ecf	file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myaccount.enigmasoftware.com/forgot-password/85000.0doc	file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	false		high
http://www.bulla.com	ShKernel.exe, 0000001C.00000002.555272712.000001D3807E6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://installer.enigmasoftware.com/sh5/def.pro/2022080401.def.ecf	file.exe, 00000000.00000003.272484826.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307522072.0000000003527000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272829020.0000000003527000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000005.00000003.309542538.0000027493E62000.00000004.00000020.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_czech.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmas	file.exe, 00000000.00000003.267369004.0000000003544000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.enigmasoftware.com/enigmasoft-discount-terms/.	file.exe, 00000000.00000003.264261988.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307366859.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268147686.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263165543.0000000003573000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267393329.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270034914.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263198322.0000000003599000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263425100.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263666920.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266458249.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263392414.0000000003599000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263138415.000000000355D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.enigmasoftware.com/program-uninstall-steps/.	file.exe, 00000000.00000003.263392414.0000000003599000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_romanian.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_russian.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_portuguese_(portugal).lng.ecf29t	file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/shos5/3.18.5/sh5_vmlinuz.ecf:	file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_french.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.release.cyclonis.net/v1/download?app=cyclonis-backup&os=win	ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_sloven	file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=	svchost.exe, 00000005.00000003.286489874.0000027493E30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000005.00000003.286489874.0000027493E30000.00000004.00000020.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/log_collect.cfgH	file.exe, 00000000.00000003.262458403.0000000003513000.00000004.00000800.00020000.00000000.sdmp	false		high
http://svc-stats.linkury.com/StateStatisticsService.svc/V1/JSON/GetDistributorIdFromNameHttpGet?dist	ShKernel.exe, 0000001C.00000002.555272712.000001D3807E6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.enigmasoftware.com/spyhunter5-special-promotion-terms/	ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_croatian.lng.ecfiEp	file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_spanish.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.enigmasoftware.com/sh/license.txt.	file.exe, 00000000.00000003.264261988.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307366859.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268147686.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263165543.0000000003573000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267393329.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270034914.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263198322.0000000003599000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263425100.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263666920.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266458249.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263392414.0000000003599000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_swedish.lng.ecfg	file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/shos5/3.18.5/sh5_vmlinuz.ecffdiyHxtN/	file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_chinese_(traditional).lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_spyhunter5.exe.ecf	file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.enigmasoftware.com/spyhunter-eula/.	file.exe, 00000000.00000003.263138415.000000000355D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_acpdata.dat.ecf	file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/	file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266193979.0000000004501000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268574609.00000000044F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268091368.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265545201.00000000044D3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269812711.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268810091.00000000044D5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265243613.00000000035BA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272484826.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_acpwl.dat.ecf1c6	file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.enigmasoftware.com/spyhunter-remover-details/#windows	file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp, ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000005.00000002.310439985.0000027493E3E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_acpdata.dat.ecf	file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_bulgarian.lng.ecf	file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_shmonitor.exe.ecfR	file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/def.pro/2022080401.def.ecfp	file.exe, 00000000.00000003.268574609.00000000044F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268091368.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269812711.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272484826.00000000044ED000.00000004.00000800.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000005.00000003.309771847.0000027493E46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.309723338.0000027493E41000.00000004.00000020.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_hungarian.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_slovene.lng.ecfPAt	file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
8.8.8.8	unknown	United States	15169	GOOGLEUS	false
172.217.168.68	unknown	United States	15169	GOOGLEUS	false
172.217.168.46	unknown	United States	15169	GOOGLEUS	false
34.240.252.91	unknown	United States	16509	AMAZON-02US	false
89.187.165.194	unknown	Czech Republic	60068	CDN77GB	false
108.156.60.5	unknown	United States	16509	AMAZON-02US	false

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	756299
Start date and time:	2022-11-30 00:13:28 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 33s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	file.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus38.rans.troj.spyw.evad.winEXE@46/58@0/7
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Successful, ratio: 99.9% (good quality ratio 92.6%) Quality average: 69.1% Quality standard deviation: 29.5%
HCA Information:	Successful, ratio: 98% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Execution Graph export aborted for target file.exe, PID 5244 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:15:30	API Interceptor	1x Sleep call for process: EsgInstallerDelay__1.exe modified
00:15:30	API Interceptor	1x Sleep call for process: EsgInstallerDelay__0.exe modified
00:15:47	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	61376
Entropy (8bit):	7.99721527656712
Encrypted:	true
SSDEEP:	1536:oGRxST1xi3yoeuedpBKgmS0ITGUTdZWz4Hae4:jSTvineonITvT7Wzte4
MD5:	A23943F49D9212F92A2444941A00870B
SHA1:	8E2C8C6A4039A4A83D9294721043E842A48E7893
SHA-256:	3316093484F7F93128B03E4671EAE32B077A022386958E113C329ECEDC3FF3C8
SHA-512:	70B3E388DB46A0430734C783F4248B11E1E86F56AF9F2F4BF3FA288BFCA49AA2EFAE6B9AE297907CCFFBDD1D4117DDF13AF4F89C669C0AFF4CC9C6DF4324C92D
Malicious:	true
Preview:	..%.2Z....;r.).1.>3.....Y.....t..r{DRP.....I.)N...J..~.2$....e7L.kW.sOx.....55.>-<!...:...@.(..7.K{..0..$>Ht.e.P8.N(m.z...b3.......,....\|MH.:....r.."Oo....~.9.\|...y...S~o...8{fDp....H.u.I.j.....'./.......9J....M...-6.qu.d.n..m......U....E...:w..@.\|.I^........iH..<.B&)5....#.p.w@...Rc.....%b/f...uDK"....SL.....]..'$.I..e.k=H8.fu.-...d.[..`.r=...JAMwC....Zs..,c.aT.4.j.../.."...4-{3._;}2...g2.j.".S...?.A...c...U...].....H...........Nu..>.\O.{.J..P...W.dbz..Z..o.s......x.._p..W.]...9.>$..._9K.=cXS...n....18.k...h.3....ikS(x.....^fw..(.'J..c .[1T8H..(.0.T.<.........Y........NF..J.#...Ib..r...?..+..S..eS.~..F..k.7,..7..6.".R.V,....;.!a./.o....x.g.A..p/RK.....85.p.u.j>..}..x.X.]...5...#$.`...;Bm#.A..`1R....#=...../k.7.yv.#."..M#&...[.wc.......}p7\...Z<.....'.E...ju.:..S.6.{.D...g]g.E..deR_u;....R..&..^.....;.....;...G=w...C..b.X.k...n?..kU...EE..&s....rG/ .....t.+......../q..Y..L".B.}&5N._...TNm...j...@g....S..$./U...J.].].h>.X.

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (2494), with no line terminators
Category:	dropped
Size (bytes):	2494
Entropy (8bit):	5.252849377001231
Encrypted:	false
SSDEEP:	48:cAn/TLtfGgzmQLeUp/B8H+OaBSkC9+TcR6Ks:pTLtf9zmQR4k6kKs
MD5:	20FDB39B527CAE9749852CF3DCA99993
SHA1:	E400F7EC756C26F962B490510C1124BFED0A666F
SHA-256:	449286F631EF1524C2EE769AE40EA7EC5AB7E63858DBDCBCE48FC3B6F8C1C555
SHA-512:	255BAF621E33C9AA3BF3DA4F775BB82E1359E2639B330C37A6056BEB84B7C78BA5AC20859BEBB45B01876C24317EC5F64A3159E6A5840428D32D61944E13A6EA
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?><updateStore><sessionVariables><permanent><AUOptions dataType="3">1</AUOptions><AllowMUUpdateService dataType="3">0</AllowMUUpdateService><AreUpdatesPausedByPolicy dataType="11">False</AreUpdatesPausedByPolicy><AttentionRequiredReason dataType="19">0</AttentionRequiredReason><CurrentState dataType="19">1</CurrentState><FirstScanAttemptTime dataType="21">132399969272148706</FirstScanAttemptTime><FlightEnabled dataType="3">0</FlightEnabled><LastError dataType="19">0</LastError><LastErrorState dataType="19">0</LastErrorState><LastErrorStateType dataType="11">False</LastErrorStateType><LastMeteredScanTime dataType="21">132399969272304939</LastMeteredScanTime><LastScanAttemptTime dataType="21">132399969272148706</LastScanAttemptTime><LastScanDeferredReason dataType="19">1</LastScanDeferredReason><LastScanDeferredTime dataType="21">133051593686244000</LastScanDeferredTime><LastScanFailureError dataType="3">-2147023838</LastScanFailureError><LastScanFailu

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	10874
Entropy (8bit):	3.166085046821439
Encrypted:	false
SSDEEP:	192:cY+38+DJl+ibJ6+ioJJ+i3N+WtT+E9tD+Ett3d+E3z5+6I3+zJ9+i:j+s+v+b+P+m+0+Q+q+q+73+zj+i
MD5:	9658A663F2DFBC67E0B56BEFC1C7594F
SHA1:	6E1255D582A2F94F7DE4C4E2D7F18C55D9728A85
SHA-256:	DB8E1DE3403925115F4653FA8F125F7C6F0B69714F45E735E32DD170E91737CC
SHA-512:	04B62023F203E363080EC3E57391C52AEC454D3F2C24C6C588BC1DDFBBC2EFEA5896E30ACAC0DCD4778B422C059D84BBF73AA52EADCA510DB4D55FA8A7C5C803
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.120994762388773
TrID:	Win32 Executable (generic) a (10002005/4) 98.81% Windows ActiveX control (116523/4) 1.15% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	6881256
MD5:	2816bacd01b0d8c48f1d8714c6aa6f0f
SHA1:	474ae88d9cf093dcb9789cb7b79513e0dbd38388
SHA256:	637720ba1437fd6dea873e56a6a1d7bb3c663e490abc4e406e3817dd2eb82c4f
SHA512:	8bc78e625a8be14dc54185e1cdd63f4cf85b5fdcd32ea532fc00e2f805ef9d241d2b3e89e582779b167113ca7b4dabee60b56f3eacdf4bdc4b5f56c15c823ac2
SSDEEP:	98304:Hh/MyJC5zMggmeTN1YBi9MCL8e7Wf7teFSiFMMrFDnl9KMBlcbhHEjZD:HXGAggm48/y8e7Wf7tYFM99HEp
TLSH:	D666DF12B641C171E5A302B2997EAFBF987CED200B2458C7E3D45E7D4E702E26637B52
File Content Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......C.o..............X..1....X.......X.. ....d..........................J.......!.......................&...............7..........

Entrypoint:	0x68a7d4
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x63510DF3 [Thu Oct 20 08:59:31 2022 UTC]
TLS Callbacks:	0x689cd0
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fa3740f07f6d2725edcaa42e6d766d63

Signature Valid:	true
Signature Issuer:	CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	6/18/2020 5:00:00 PM 6/13/2023 5:00:00 AM
Subject Chain	CN=EnigmaSoft Limited, O=EnigmaSoft Limited, L=Dublin, C=IE, SERIALNUMBER=597114, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IE
Version:	3
Thumbprint MD5:	C1CA2DE9B1FC80CB6991C5E96BFDBB56
Thumbprint SHA-1:	9B7616BF6F93FFDEB04A6998A944512C1C753015
Thumbprint SHA-256:	5F5216C99F6851AC1FF36BECDE318E5ECF54222D051E2D4EB142165657C7630F
Serial:	0D52114AABA1B5E4B4B1ACE58C319E4E

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x51fda0	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x552000	0x115c30	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x68b400	0x4be8	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x668000	0x344b0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4e6c00	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4e6ccc	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4e6c70	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x438000	0x948	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4363cc	0x436400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x438000	0xeb144	0xeb200	False	0.41603846856725146	data	5.84204624071673	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x524000	0x2bee1	0x1ea00	False	0.12552614795918368	Matlab v4 mat-file (little endian) \334, rows 8, columns 8, imaginary	4.35694874016997	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.gfids	0x550000	0x9b8	0xa00	False	0.3890625	data	4.1212839696841	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x551000	0x9	0x200	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x552000	0x115c30	0x115e00	False	0.9782669815564552	data	7.982123610094004	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x668000	0x344b0	0x34600	False	0.6026486053102625	data	6.676291391323307	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country
RT_ICON	0x553ff0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States
RT_ICON	0x554658	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States
RT_ICON	0x554940	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States
RT_ICON	0x554a68	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States
RT_ICON	0x555910	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States
RT_ICON	0x5561b8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States
RT_ICON	0x556720	0x9a5e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x560180	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States
RT_ICON	0x562728	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States
RT_ICON	0x5637d0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_DIALOG	0x563c38	0x34	data	English	United States
RT_DIALOG	0x563c6c	0x34	data	English	United States
RT_DIALOG	0x563ca0	0x34	data	English	United States
RT_DIALOG	0x563cd4	0x34	data	English	United States
RT_RCDATA	0x563d08	0x60	data	English	United States
RT_RCDATA	0x563d68	0x480	data	English	United States
RT_RCDATA	0x5641e8	0x60	data	English	United States
RT_RCDATA	0x564248	0x3b60	data	English	United States
RT_RCDATA	0x567da8	0x37c0	data	English	United States
RT_RCDATA	0x56b568	0x38e0	data	English	United States
RT_RCDATA	0x56ee48	0x3b80	data	English	United States
RT_RCDATA	0x5729c8	0x39c0	data	English	United States
RT_RCDATA	0x576388	0x3d40	data	English	United States
RT_RCDATA	0x57a0c8	0x4180	data	English	United States
RT_RCDATA	0x57e248	0x6960	data	English	United States
RT_RCDATA	0x584ba8	0x3dc0	data	English	United States
RT_RCDATA	0x588968	0x41c0	data	English	United States
RT_RCDATA	0x58cb28	0x3c00	data	English	United States
RT_RCDATA	0x590728	0x5fe	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x590d28	0xa0	data	English	United States
RT_RCDATA	0x590dc8	0x7c0	data	English	United States
RT_RCDATA	0x591588	0x340	data	English	United States
RT_RCDATA	0x5918c8	0x18fa0	data	English	United States
RT_RCDATA	0x5aa868	0x7a0	data	English	United States
RT_RCDATA	0x5ab008	0x2e0	data	English	United States
RT_RCDATA	0x5ab2e8	0x260	data	English	United States
RT_RCDATA	0x5ab548	0x280	data	English	United States
RT_RCDATA	0x5ab7c8	0x360	data	English	United States
RT_RCDATA	0x5abb28	0x240	data	English	United States
RT_RCDATA	0x5abd68	0x280	data	English	United States
RT_RCDATA	0x5abfe8	0x260	data	English	United States
RT_RCDATA	0x5ac248	0x2a0	data	English	United States
RT_RCDATA	0x5ac4e8	0xf3e0	data	English	United States
RT_RCDATA	0x5bb8c8	0xa40	data	English	United States
RT_RCDATA	0x5bc308	0x280	data	English	United States
RT_RCDATA	0x5bc588	0x2c0	data	English	United States
RT_RCDATA	0x5bc848	0x280	data	English	United States
RT_RCDATA	0x5bcac8	0x280	data	English	United States
RT_RCDATA	0x5bcd48	0x360	data	English	United States
RT_RCDATA	0x5bd0a8	0x2a0	data	English	United States
RT_RCDATA	0x5bd348	0x2c0	data	English	United States
RT_RCDATA	0x5bd608	0x260	data	English	United States
RT_RCDATA	0x5bd868	0x280	data	English	United States
RT_RCDATA	0x5bdae8	0x520	data	English	United States
RT_RCDATA	0x5be008	0x2c0	data	English	United States
RT_RCDATA	0x5be2c8	0x280	data	English	United States
RT_RCDATA	0x5be548	0x2a0	data	English	United States
RT_RCDATA	0x5be7e8	0x2a0	data	English	United States
RT_RCDATA	0x5bea88	0x360	data	English	United States
RT_RCDATA	0x5bede8	0x140	data	English	United States
RT_RCDATA	0x5bef28	0x2a0	data	English	United States
RT_RCDATA	0x5bf1c8	0x2a0	data	English	United States
RT_RCDATA	0x5bf468	0x2a0	data	English	United States
RT_RCDATA	0x5bf708	0x260	data	English	United States
RT_RCDATA	0x5bf968	0xd460	data	English	United States
RT_RCDATA	0x5ccdc8	0x2a0	data	English	United States
RT_RCDATA	0x5cd068	0x340	data	English	United States
RT_RCDATA	0x5cd3a8	0x2c0	data	English	United States
RT_RCDATA	0x5cd668	0x2c0	data	English	United States
RT_RCDATA	0x5cd928	0x22180	data	English	United States
RT_RCDATA	0x5efaa8	0x221a0	data	English	United States
RT_RCDATA	0x611c48	0x27000	data	English	United States
RT_RCDATA	0x638c48	0xc20	data	English	United States
RT_RCDATA	0x639868	0xd20	data	English	United States
RT_RCDATA	0x63a588	0xd80	data	English	United States
RT_RCDATA	0x63b308	0xc80	data	English	United States
RT_RCDATA	0x63bf88	0xca0	data	English	United States
RT_RCDATA	0x63cc28	0xcc0	data	English	United States
RT_RCDATA	0x63d8e8	0xd00	data	English	United States
RT_RCDATA	0x63e5e8	0xd60	data	English	United States
RT_RCDATA	0x63f348	0xca0	data	English	United States
RT_RCDATA	0x63ffe8	0xc60	data	English	United States
RT_RCDATA	0x640c48	0xcc0	data	English	United States
RT_RCDATA	0x641908	0xf40	data	English	United States
RT_RCDATA	0x642848	0xd60	data	English	United States
RT_RCDATA	0x6435a8	0xca0	data	English	United States
RT_RCDATA	0x644248	0xe40	data	English	United States
RT_RCDATA	0x645088	0xca0	data	English	United States
RT_RCDATA	0x645d28	0xca0	data	English	United States
RT_RCDATA	0x6469c8	0xca0	data	English	United States
RT_RCDATA	0x647668	0xd20	data	English	United States
RT_RCDATA	0x648388	0xfe0	data	English	United States
RT_RCDATA	0x649368	0xc20	data	English	United States
RT_RCDATA	0x649f88	0xd20	data	English	United States
RT_RCDATA	0x64aca8	0xd20	data	English	United States
RT_RCDATA	0x64b9c8	0xc40	data	English	United States
RT_RCDATA	0x64c608	0xd40	data	English	United States
RT_RCDATA	0x64d348	0xd40	data	English	United States
RT_RCDATA	0x64e088	0xee0	data	English	United States
RT_RCDATA	0x64ef68	0xd20	data	English	United States
RT_RCDATA	0x64fc88	0xd40	data	English	United States
RT_RCDATA	0x6509c8	0xe60	data	English	United States
RT_RCDATA	0x651828	0xd00	data	English	United States
RT_RCDATA	0x652528	0xbc0	data	English	United States
RT_RCDATA	0x6530e8	0x840	data	English	United States
RT_RCDATA	0x653928	0x80	data	English	United States
RT_RCDATA	0x6539a8	0x760	data	English	United States
RT_RCDATA	0x654108	0x820	data	English	United States
RT_RCDATA	0x654928	0x940	OpenPGP Public Key	English	United States
RT_RCDATA	0x655268	0xac0	data	English	United States
RT_RCDATA	0x655d28	0x1060	data	English	United States
RT_RCDATA	0x656d88	0xac0	data	English	United States
RT_RCDATA	0x657848	0x920	data	English	United States
RT_RCDATA	0x658168	0xaa0	data	English	United States
RT_RCDATA	0x658c08	0x7a0	data	English	United States
RT_RCDATA	0x6593a8	0x820	data	English	United States
RT_RCDATA	0x659bc8	0x8a0	OpenPGP Public Key	English	United States
RT_RCDATA	0x65a468	0x8c0	data	English	United States
RT_RCDATA	0x65ad28	0x16c0	data	English	United States
RT_RCDATA	0x65c3e8	0x7c00	data	English	United States
RT_RCDATA	0x663fe8	0xa0	data	English	United States
RT_RCDATA	0x664088	0xa0	data	English	United States
RT_RCDATA	0x664128	0xa0	data	English	United States
RT_RCDATA	0x6641c8	0x2c0	data	English	United States
RT_RCDATA	0x664488	0x460	data	English	United States
RT_RCDATA	0x6648e8	0x2e0	data	English	United States
RT_RCDATA	0x664bc8	0xc20	data	English	United States
RT_RCDATA	0x6657e8	0x19e	PNG image data, 15 x 60, 8-bit gray+alpha, non-interlaced	English	United States
RT_RCDATA	0x665988	0x28c	PNG image data, 30 x 120, 8-bit gray+alpha, non-interlaced	English	United States
RT_RCDATA	0x665c14	0x31d	PNG image data, 30 x 180, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x665f34	0x31d	PNG image data, 30 x 180, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x666254	0x5cf	PNG image data, 30 x 180, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x666824	0x5cf	PNG image data, 30 x 180, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x666df4	0xe9	PNG image data, 15 x 60, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x666ee0	0x152	PNG image data, 30 x 120, 8-bit/color RGBA, non-interlaced	English	United States
RT_GROUP_ICON	0x667034	0x92	data	English	United States
RT_VERSION	0x6670c8	0x348	data	English	United States
RT_MANIFEST	0x667410	0x820	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (2020), with CRLF line terminators	English	United States

DLL	Import
gdiplus.dll	GdipCreatePath, GdipCreateRegion, GdipSetClipRegion, GdipSetInfinite, GdipGetClip, GdipDeleteRegion, GdipDeleteGraphics, GdipGetImageHeight, GdipCreateFromHDC, GdiplusShutdown, GdiplusStartup, GdipImageRotateFlip, GdipGetImagePixelFormat, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromResource, GdipCreateBitmapFromStream, GdipClosePathFigure, GdipAddPathArcI, GdipResetPath, GdipDeletePen, GdipDrawPath, GdipSetPenDashStyle, GdipCreatePen1, GdipSetPixelOffsetMode, GdipSetInterpolationMode, GdipSetCompositingQuality, GdipSetCompositingMode, GdipFillRectangleI, GdipDeleteBrush, GdipCreateTextureIAI, GdipSetImageAttributesColorKeys, GdipSetImageAttributesWrapMode, GdipDrawImagePointRectI, GdipGetImageGraphicsContext, GdipCreateBitmapFromScan0, GdipDrawImageRectRectI, GdipDisposeImage, GdipCloneImage, GdipAlloc, GdipFree, GdipCreateBitmapFromHBITMAP, GdipSetImageAttributesColorMatrix, GdipDisposeImageAttributes, GdipCreateImageAttributes, GdipDeletePath, GdipCombineRegionPath, GdipSetSmoothingMode, GdipGetImageWidth
USP10.dll	ScriptStringAnalyse, ScriptStringOut, ScriptStringGetLogicalWidths, ScriptStringGetOrder, ScriptStringXtoCP, ScriptString_pSize, ScriptString_pcOutChars, ScriptStringFree, ScriptString_pLogAttr, ScriptStringCPtoX
CRYPT32.dll	CryptDecodeObject, CryptMsgClose, CryptQueryObject, CryptMsgGetParam, CertGetNameStringW, CryptHashCertificate, CertGetCertificateContextProperty, CertCloseStore, CertEnumCertificatesInStore, CertOpenSystemStoreW, CertFreeCertificateContext, CertGetEnhancedKeyUsage, CertGetIntendedKeyUsage, CertDuplicateCertificateContext, CertFindCertificateInStore, CertOpenStore
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WS2_32.dll	WSAIoctl, closesocket, WSASetLastError, getpeername, getsockname, socket, ntohs, connect, getsockopt, htons, setsockopt, send, recvfrom, listen, accept, bind, shutdown, getaddrinfo, htonl, gethostname, recv, WSAGetLastError, WSACloseEvent, WSACreateEvent, WSAEventSelect, WSAResetEvent, WSAWaitForMultipleEvents, WSAEnumNetworkEvents, WSACleanup, WSAStartup, select, __WSAFDIsSet, ioctlsocket, freeaddrinfo, getnameinfo, sendto
PSAPI.DLL	GetProcessMemoryInfo, GetModuleFileNameExW, EnumProcessModules, GetProcessImageFileNameW
KERNEL32.dll	CreateEventA, GetLastError, MoveFileExW, InitializeCriticalSectionAndSpinCount, RaiseException, DecodePointer, DeleteCriticalSection, DeleteFileW, Sleep, GetCurrentProcess, SetLastError, EnterCriticalSection, LeaveCriticalSection, GetCurrentThreadId, GetTickCount, CreateFileW, HeapFree, QueryPerformanceFrequency, GetProcessHeap, lstrcmpiW, QueryPerformanceCounter, FindResourceW, GetUserDefaultLCID, GetDiskFreeSpaceExW, LoadLibraryW, HeapAlloc, GetProcAddress, CreateMutexW, WaitForSingleObject, ReleaseMutex, GetCurrentProcessId, GetLocalTime, ReadFile, GetFileSizeEx, WriteFile, RemoveDirectoryW, GetFileAttributesW, SetFileAttributesW, GetExitCodeProcess, EnumResourceNamesW, SizeofResource, InterlockedDecrement, GetModuleFileNameW, MultiByteToWideChar, LoadResource, GetModuleHandleW, InterlockedIncrement, SetDllDirectoryW, LoadLibraryExW, FreeLibrary, FileTimeToSystemTime, SystemTimeToFileTime, TerminateProcess, OpenProcess, OpenMutexW, GetSystemDirectoryW, SleepEx, InitializeCriticalSection, WideCharToMultiByte, VerSetConditionMask, VerifyVersionInfoW, FormatMessageW, GetEnvironmentVariableA, GetStdHandle, WaitForMultipleObjects, PeekNamedPipe, GetFileType, CompareFileTime, GetSystemTimeAsFileTime, GetEnvironmentVariableW, GetConsoleMode, SetConsoleMode, ReadConsoleA, ReadConsoleW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleExW, SwitchToFiber, DeleteFiber, CreateFiber, LoadLibraryA, ConvertFiberToThread, ConvertThreadToFiber, FindClose, FindFirstFileW, FindNextFileW, GetSystemTime, WaitForSingleObjectEx, MulDiv, ExpandEnvironmentStringsW, GetLongPathNameW, CreateDirectoryW, CopyFileW, DeviceIoControl, LocalFree, GetSystemInfo, GetNativeSystemInfo, LocalAlloc, ProcessIdToSessionId, GetVolumeInformationW, lstrcpyW, lstrcatW, CreateProcessW, CreatePipe, SetHandleInformation, HeapReAlloc, GetComputerNameW, GetCurrentThread, GetLogicalDriveStringsW, GetDriveTypeW, GetModuleHandleA, GlobalAlloc, GlobalLock, GlobalUnlock, GlobalFree, GlobalSize, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, FindFirstVolumeW, GetVolumePathNamesForVolumeNameW, QueryDosDeviceW, FindNextVolumeW, FindVolumeClose, lstrlenW, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, SetFilePointer, MoveFileW, SetFilePointerEx, GetTimeFormatW, GetDateFormatW, LockResource, GetLogicalDrives, DeleteVolumeMountPointW, DefineDosDeviceW, GetVolumeNameForVolumeMountPointW, SetVolumeMountPointW, GlobalMemoryStatusEx, GetLocaleInfoW, CreateEventW, CreateNamedPipeW, GetLocaleInfoA, CreateTimerQueue, DeleteTimerQueueEx, CreateTimerQueueTimer, lstrcmpA, FileTimeToLocalFileTime, lstrcpynW, RemoveVectoredExceptionHandler, SetUnhandledExceptionFilter, AddVectoredExceptionHandler, IsBadReadPtr, VirtualQuery, FreeResource, GetFileSize, CreateSemaphoreA, DuplicateHandle, ReleaseSemaphore, CloseHandle, SetEvent, GetStringTypeW, EncodePointer, CompareStringW, LCMapStringW, GetCPInfo, ResetEvent, WaitForMultipleObjectsEx, OpenEventA, SetWaitableTimer, ResumeThread, CreateWaitableTimerA, FormatMessageA, UnhandledExceptionFilter, IsProcessorFeaturePresent, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, OutputDebugStringW, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, VirtualAlloc, VirtualFree, LoadLibraryExA, GetStringTypeExW, LCMapStringA, GetStringTypeExA, RtlUnwind, GetModuleFileNameA, WriteConsoleW, GetACP, GetFileAttributesExW, SystemTimeToTzSpecificLocalTime, CreateThread, ExitThread, FreeLibraryAndExitThread, SetConsoleCtrlHandler, ExitProcess, GetCommandLineA, GetCommandLineW, GetConsoleCP, HeapSize, IsValidCodePage, GetOEMCP, IsValidLocale, EnumSystemLocalesW, GetCurrentDirectoryW, GetFullPathNameW, SetStdHandle, FlushFileBuffers, GetTimeZoneInformation, SetEnvironmentVariableA, SetEnvironmentVariableW, FindFirstFileExW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEndOfFile, GetTempPathW, GetVersionExW, CreateProcessA
USER32.dll	OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsClipboardFormatAvailable, GetClipboardData, EnableWindow, SetTimer, KillTimer, SetWindowRgn, IsCharAlphaNumericA, ScreenToClient, UpdateLayeredWindow, SetCaretPos, SetActiveWindow, GetKeyState, DestroyCaret, ClientToScreen, CreateCaret, ShowCaret, HideCaret, InsertMenuW, TrackPopupMenu, MessageBoxW, GetSystemMetrics, LoadAcceleratorsW, LoadStringW, GetClassInfoW, DispatchMessageW, PeekMessageW, RegisterClassW, CharNextW, TranslateMessage, UpdateWindow, SetForegroundWindow, LoadImageW, GetWindow, MonitorFromWindow, EndDialog, GetWindowInfo, LockSetForegroundWindow, MapWindowPoints, EnumWindows, GetWindowDC, SetWindowTextW, InvalidateRect, GetDC, ReleaseDC, GetFocus, RegisterClassExW, IsWindowEnabled, SetRect, GetClassInfoExW, InflateRect, IsZoomed, DrawTextW, IsIconic, GetCapture, TrackMouseEvent, SetFocus, SetCapture, ReleaseCapture, GetCursorPos, PostMessageW, ShowWindow, RedrawWindow, GetDlgItem, GetWindowLongW, DefWindowProcW, AdjustWindowRectEx, CallWindowProcW, GetWindowRect, DestroyWindow, IsWindowVisible, SetWindowPos, EnumChildWindows, CreateWindowExW, SendMessageW, IsWindow, OffsetRect, LoadCursorW, SetCursor, SetWindowLongW, GetClientRect, GetParent, PtInRect, BeginPaint, EndPaint, UnregisterClassW, ExitWindowsEx, GetMessageExtraInfo, wsprintfW, GetUserObjectInformationW, GetProcessWindowStation, FindWindowExW, GetWindowTextLengthW, GetMenuItemInfoW, MessageBeep, CreatePopupMenu, GetActiveWindow, IsDialogMessageW, DestroyMenu, BringWindowToTop, TranslateAcceleratorW, LoadIconW, TrackPopupMenuEx, RemoveMenu, AllowSetForegroundWindow, MonitorFromPoint, GetMenuItemCount, MoveWindow, LoadStringA, AppendMenuW, PostQuitMessage, DialogBoxParamW, GetMessageW, GetMonitorInfoW, LoadMenuW
GDI32.dll	TextOutW, GetTextMetricsW, StartPage, EndPage, GetBkColor, SetTextAlign, GetTextColor, GetDeviceCaps, CombineRgn, GetDIBits, ExtCreatePen, LineTo, MoveToEx, ExtTextOutW, CreateFontW, GetObjectW, SetBrushOrgEx, SetStretchBltMode, GetTextExtentPoint32W, CreatePen, Rectangle, SelectClipRgn, IntersectClipRect, SetBkColor, CreateSolidBrush, SetTextColor, SetBkMode, BitBlt, CreateCompatibleBitmap, SaveDC, SelectObject, CreateCompatibleDC, DeleteDC, SetViewportOrgEx, ExcludeClipRect, RestoreDC, DeleteObject, CreateRectRgn, ExtSelectClipRgn
ADVAPI32.dll	CloseServiceHandle, CryptSignHashW, OpenServiceW, OpenSCManagerW, GetNamedSecurityInfoW, GetExplicitEntriesFromAclW, InitializeAcl, SetEntriesInAclW, SetNamedSecurityInfoW, QueryServiceStatusEx, ControlService, LookupAccountNameW, RegSaveKeyExW, RegEnumValueW, OpenProcessToken, RegQueryValueExW, InitializeSecurityDescriptor, SetSecurityDescriptorOwner, RegSetKeySecurity, AddAccessAllowedAce, SetSecurityDescriptorDacl, ConvertSidToStringSidW, LookupPrivilegeValueW, GetTokenInformation, GetLengthSid, RegDeleteValueW, RegOpenKeyExW, RegSetValueExW, RegEnumKeyExW, RegCreateKeyExW, RegDeleteKeyW, RegQueryInfoKeyW, RegCloseKey, DeregisterEventSource, RegisterEventSourceW, ReportEventW, CryptAcquireContextW, CryptReleaseContext, CryptGenRandom, CryptDestroyKey, CryptSetHashParam, CryptGetProvParam, CryptGetUserKey, CryptExportKey, CryptDecrypt, CryptCreateHash, CryptDestroyHash, AccessCheck, IsValidSecurityDescriptor, CryptEnumProvidersW, AdjustTokenPrivileges, GetUserNameW, DuplicateToken, FreeSid, OpenThreadToken, AllocateAndInitializeSid, SetSecurityDescriptorGroup
SHELL32.dll	SHOpenFolderAndSelectItems, SHParseDisplayName, ShellExecuteW
ole32.dll	CreateStreamOnHGlobal, CoInitializeEx, CoTaskMemRealloc, CoCreateInstance, CoUninitialize, CoInitialize, CoTaskMemFree, CoTaskMemAlloc
OLEAUT32.dll	VariantInit, SysAllocString, VariantClear, VarUI4FromStr, SysFreeString
SHLWAPI.dll	StrCmpNIW, StrCmpIW
COMCTL32.dll
MSIMG32.dll	AlphaBlend

Target ID:	0
Start time:	00:14:27
Start date:	30/11/2022
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0xd80000
File size:	6881256 bytes
MD5 hash:	2816BACD01B0D8C48F1D8714C6AA6F0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Target ID:	1
Start time:	00:14:39
Start date:	30/11/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff651c80000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	4
Start time:	00:14:40
Start date:	30/11/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff651c80000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	6
Start time:	00:14:45
Start date:	30/11/2022
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff65cb30000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	8
Start time:	00:14:46
Start date:	30/11/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
Imagebase:	0x7ff651c80000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	10
Start time:	00:15:24
Start date:	30/11/2022
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\sc.exe create EsgShKernel start= demand binPath= "\"C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe\"" DisplayName= "SpyHunter 5 Kernel"
Imagebase:	0x7ff676710000
File size:	69120 bytes
MD5 hash:	D79784553A9410D15E04766AAAB77CD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	13
Start time:	00:15:25
Start date:	30/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	16
Start time:	00:15:26
Start date:	30/11/2022
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\sc.exe description ShMonitor "SpyHunter 5 Kernel Monitor"
Imagebase:	0x7ff676710000
File size:	69120 bytes
MD5 hash:	D79784553A9410D15E04766AAAB77CD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	20
Start time:	00:15:27
Start date:	30/11/2022
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\sc.exe config EsgShKernel start= auto
Imagebase:	0x7ff676710000
File size:	69120 bytes
MD5 hash:	D79784553A9410D15E04766AAAB77CD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	23
Start time:	00:15:29
Start date:	30/11/2022
Path:	C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe -exec OpfXySN2sIJfRn7kaByo3fAgnhU5bFC+1YK5gktB214= -args MHLPvv2eVF5BDDAj57kaKhLlRzVl3TCPBu81sCtfDvA= -wait 300
Imagebase:	0x7ff6980f0000
File size:	369512 bytes
MD5 hash:	EDCE372DE488AA221DA7DB7544C09B3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs

Target ID:	33
Start time:	00:16:11
Start date:	30/11/2022
Path:	C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe
Wow64 process (32bit):
Commandline:	"C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe" /hide
Imagebase:
File size:	18037736 bytes
MD5 hash:	096FA37EA53BB15959E9EEF9FD3F2745
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\EnigmaSoft\SpyHunter\Defs\Rh\full.dat

C:\Program Files\EnigmaSoft\SpyHunter\Defs\full.def

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Albanian.lng

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Bulgarian.lng

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Chinese (Simplified).lng

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Chinese (Traditional).lng

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Croatian.lng

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Czech.lng

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Danish.lng

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Dutch.lng

C:\Program Files\EnigmaSoft\SpyHunter\Languages\English.lng

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Finnish.lng

C:\Program Files\EnigmaSoft\SpyHunter\Languages\French.lng

Windows Analysis Report
file.exe

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre